On Wed, 22 Oct 2014, Mark Allman wrote:
That is not what we are proposing. We are not suggesting resolvers be *moved*, but rather *removed*. That is, clients simply do name lookup on their own.
"simply" on their own moves the entire query load of all endpoints (billions) onto the authoritative nameservers only. Do you really propose a billion clients should perform lookups against my 3 poor nameservers for nohats.ca.? Have you talked to operators world wide on what the query load on their caching resolvers is? (please do not come back with djb quoted numbers, he was proven wrong on his fabricated caching statistics numbers by Dan Kaminsky and me)
Let me be clear.... I am not arguing against DNSSEC. A crypto signed record is always better than a clear text record. But, DNSSEC is still not here and it seems to me that factoring out some of the intermediaries that we know sometimes both play games and have games played on them may well be a useful path.
validating stubs are perfectly capable of dealing with dnssec-forged replies from intermediate caches, and can try to work their way around those. Those are the exceptions and leave the intermediary caching system intact. Suggesting to dismantle the largest distributed database in the world and thinking you can get away with it is a very ill thought plan not rooted in reality. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
