On Fri, May 22, 2020 at 10:55:34AM +1000, George Michaelson wrote:
> My Colleague George Kuo asked me for definitions of public DNS
> service. not "public DNS" but the trigram "public DNS service"
Is there room for this bike:
1) Policy: A "public DNS service" is a full DNS speaker outside of
the end user's network and control.
I.e., non-local recursion crosses one or more policy
barriers---local network, carrier, state and international---with
implications for integrity, resolution security, and privacy.
For some enterprises, recursion against 'public DNS services'
creates an audit criticism. A poorly selected public resolver
may import censorship. Or a well selected resolver may evade
(older) regional media controls by suggesting false locality to a
media server, for those services unwilling to impose policy
regional controls in their TCP multiplex.
Given these explicit choices and surprise outcomes, "crossing
policy barriers" is a fair partial description.
2) Latent RRsets requiring protocol changes. Public DNS servers are
the most distant commercially viable DNS iterator from the end
user.
Resolvers mitigate distance-induced latency via anycasting and
robust provisioning. Suboptimal RRset selections required
fundamental protocol changes---e.g., exposing local octets to the
iterative layer---accommodate what remains. (And hats off to the
Tor exit nodes offering on-exit recursion, and injecting RFC 1918
addresses into the ECS payload.)
"Distant" is a fair description. Users pay for this distance, in
either latency, privacy, or protocol changes.
3) "Free with footnotes".
No good deed goes unmonetized. Users should understand the
trade offs in selecting a non-local resolver. The term "public"
obscures stake holder interests.
I suggest: "distant resolver outside of the user's policy oversight".
--
David Dagon
[email protected]
D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
