Paul Vixie On What DNS Is Not 164
CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"
not only Verisign (Score:5, Insightful)
Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.
Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."
Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.
Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.
Re:not only Verisign (Score:4, Interesting)
If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.
Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.
Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.
Don't be a baby! (Score:5, Insightful)
So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?
Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.
Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.
Re: (Score:3, Insightful)
There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.
If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.
If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. Th
Re: (Score:2)
There's this little thing called capitalism, which optimally distributes resources to those who can best utilize them. In short, if you can get more use out of a resource, you can afford to pay more for that resource.
If someone is willing to pay Vixie more, I expect he'd take them up on the offer...
Re: (Score:3, Insightful)
The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.
Re: (Score:2)
Is that you, Obelix the gallstone? Fell into a vat of anonymous coward super juice as a young infant? I thought so.
He's only having it both ways if he privately supports Nominum's stupidity, while publicly declaiming his involvement.
This post is an excellent example of polarization disorder: the belief that the world will run most smoothly if everyone is neatly al
Re: (Score:2, Interesting)
actually i can have it both ways. i was a co-founder and was the first board chairman of nominum, and i still have many friends there. they know exactly how i feel about typosquatting. their product is smarter and tamer than others i can think of, but i still complain to them about it. i'm happy to be able to advise them on other matters.
Re: (Score:2)
And that's why a cheap, low-power computer or hackable router is awesome. Just run your own nameserver.
My ISP isn't horrible, but they hijack DNS with a "friendly" error message when there is more than a little network congestion, which sticks until the cache is flushed. That was enough to get me to stop using their server.
Re:not only Verisign (Score:4, Informative)
Re: (Score:2)
Well, I suppose a workaround to that would be to set up an encrypted tunnel to some machine outside their network and running your own DNS server there, depending on your work IT policies you could even use your employer's VPN to run "private" DNS requests while still using your own internet connection for actually accessing the net.
That said I sure wish ISPs wouldn't do dumb shit like this, it pretty much breaks DNS.
/Mikael
Re: (Score:2)
If I'm OCD enough to set up my own DNSd, why do you assume I'd not think about that?
True, most people don't have hardware on another network, but virtual servers are silly cheap if you are only using it for DNS and SSH redirection.
Re: (Score:2)
Re: (Score:2)
You dont even need to point it to OpenDNS (which FYI does *exactly* the same kind of advertisement serving on non-existing domains). Just run your own recursive DNS server and you're good to go.
(unless of course your ISP doesn't let you send DNS requests to any other server than theirs, which some people seem to have here)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2, Insightful)
IT's not a problem per-se - but everyone running a caching DNS server on their PC, because they can't trust the ISP, while seemingly beneficial now, has problems in theory down the road. The point of an ISP having a caching nameserver is so that queries get cached closer to home, and for a larger segment of the network. If *every* end client had their own full caching nameserver, rather than relying on a heirarchy, we'd have a tragedy of the commons, and the load on the authoritative servers would go way
Re: (Score:2)
Re: (Score:3, Informative)
Bind has Windows binaries for XP/2003/2008
https://www.isc.org/downloadables/11 [isc.org]
Re: (Score:2)
See that, "Typo Correction" = broken DNS. DNS is not suppose to answer what It thinks you meant, it is supposed to answer what you asked!
Re: (Score:3, Interesting)
Using a local installation of dnsmasq for your DNS server does, however, allow you to work around NXDOMAIN hijacking, assuming that your ISP uses a consistent IP address for its hijack.
Re:not only Verisign (Score:5, Interesting)
Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.
And so would most of you, too.
Re: (Score:2)
Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."
Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.
I doubt it still would go anywhere in court. It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers, who have opted-in and bought them. You might have a case if they blocked using other DNS servers, but they dont. And if they included a part in contract that says you're only allowed to use their DNS server (like they say for email port 25), you don't have a case with that either.
btw, this thing seems to only be a problem in USA too - they're not doing anyt
Re: (Score:2)
It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers
No, but it might be illegal to break RFCs and protocol standards on services that you advertise support for. There are lots of truth in advertising laws around the world that could be used to enforce this.
My ISP does the DNS redirection thing, but it's only marginally evil. They only do it for domain names starting www and the page that they redirect to has a permanent opt-out button (which doesn't store anything in a cookie; dig works correctly for looking up www.madeup.example.com after setting it). I
Re: (Score:2)
>> My ISP does the DNS redirection thing, but it's only marginally evil. They only do it for domain names starting www and the page that they redirect to has a permanent opt-out button...
and... how do you find that optout button?
and... how does dig operate if you don't press the button?
Re: (Score:2)
and... how do you find that optout button?
It's on the page they redirect you to.
and... how does dig operate if you don't press the button?
Incorrectly - it returns their address instead of NXDOMAIN for nonexistent domains with the www. prefix.
You do need to have a machine with a web browser connected to the connection to be able to opt out, but for a consumer grade connection that's not an unreasonable assumption.
You missed the "breaking ISO layers" issue (Score:2)
They're not redirecting you to a web page - they're redirecting you to a different IP address, which has a web server on it. What if you weren't running http? Besides dig, there's also https (are they only serving http?), and ssh, and email (less common on www.x.x, admittedly), but they're still fundamentally breaking it.
It's not unreasonable to expect that my machine might have a web browser on it - but if that's not the application I used, they need to know not to break it, and they *can't* know that, b
What do they do about HTTPS? or SSH? (Score:2)
Oh, right, they can't tell you're trying to open an https connection instead of an http connection because they're hijacking the DNS query, not the browser query. That's why it's called *broken*.
And where do they put the opt-out button on ssh connections? Unlike email, where I'm usually not emailing to a www.* address, I fairly often want to ssh to a web server (admittedly, that's usually inside my own network, but not always), and they shouldn't be fraking with it - and they can't tell whether they are o
Re: (Score:2)
Agreed. Isn't failure to return an NXDOMAIN pretty much the same as any other exploit? I would say that the laws that protect against circumventing the security on a computing system should apply to this false-reply injection technique. Why should some random web operator be given access to download code to my computer when I didn't expressly visit their site?
Uh. Are you completely forgetting that *YOU* are using *THEIR* DNS servers?
Not that DNS response would be anything like executable code either...
Re: (Score:2)
Not necessarily, the web page your erroneously redirected to is code; and your web browser will send cookie information to the webserver that it has no right to receive.
Re: (Score:2)
What's an incorrect answer anyway? To the TCP/IP connection I expect my ISP to provide there is nothing holy about ICANNS DNS root.
Re: (Score:2, Insightful)
Re: (Score:2)
And that would be enforced, how?
Re: (Score:2)
Confusing what is with what we'd like it to be (Score:2)
Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."
I invite you to write the RFC. It's easy to do, and basically, anybody can write an RFC. There's the infamous evil bit [faqs.org] for example. But here's the thing... RFCs are just that: Requests For Ccomment. They
Re: (Score:2)
Since when is DNS by legal terms part of internet service? Yes ISPs usually have DNS servers for their customers, because it's usually excepted and to make it customer friendly. But unless they specifically state that you will have access to such service too, or say it in contract, you dont have a legal case. And it's not like you cant use other DNS servers or set up your own. ISP's have usually also had email accounts, news and other services but 2000+ they've started dropping those and you wouldn't have a
Re: (Score:3, Insightful)
When your ISP gives you name(s) for POP3 service (and maybe NNTP also), rather than addresses, and those names are within the ISP's domain...
Then a working DNS, administered by the ISP, is part of the service. Without it, the ISP is unable to offer the services stated to their customers in their paperwork.
Yes, maybe it's contracted out. But that doesn't change the ISP's responsibility to its customers, or its liability when service fa
Re: (Score:2)
Yes I know you pretty much need DNS to use internet, hence why all ISPs offer it to their customers. But what would exactly be that false advertising? They are providing you with DNS servers so you can resolve names. Just because their own-run server breaks RFC (with the NXDOMAIN thing), doesn't exactly break any law. It might be bad habit and it might make technical people angry (normal people just dont care), but that's it. Of course, you are always free NOT to use their services or make them know how you
Re: (Score:2)
No they are not, because it isn't proper DNS, it's their tainted version of it.
Of course this restaurant doesn't sell dead cat, it clearly says chicken right here on the menu.
Re: (Score:2)
I dunno. Would your car dealer be doing anything wrong if he only supplied three tires for your new car? I mean, sure, it's pretty much necessary to have four tires to do any kind of real driving, but hey, would they be in the wrong if they opted only to give you three?
competition (Score:2)
Re: (Score:2)
Good luck getting everyone join your root servers instead.
Re: (Score:2)
Good luck getting everyone join your root servers instead.
Isn't that what the 'OpenDNS', which isn't open, about? It looks like viral marketing for a parallel name service.
Re: (Score:2)
Re: (Score:2)
Such things exist. [wikipedia.org] Nobody uses them.
Re: (Score:2)
Or, as ICANN members, we could all submit/vote for a proposal to pull IP address blocks from companies who do such things. That'll get some attention. Submit it Vixie and I'll vote.
what it is becoming (Score:3, Interesting)
Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies.
Erm.. didn't Paul create MAPS to explicitly provide - and later monetize - the RBL? Wasn't the RBL a "directory service"? Didn't it map IPs to policy-based information?
I agree with the point he's trying to make; I hate NXDOMAIN hijacks too. I don't get the rant about CDNs, though; seems to m
Re: (Score:3, Informative)
I think you're missing his point. It's easy to do, because he does hide it quite well behind a large wall of text. DNS, as Vixie (awesome name) rightly says, should be a cacheable mapping. The result should depend on the query and nothing else. It should not depend on who your ISP is. It should not depend on your geographical location. If you do a DNS lookup from your computer, you should get exactly the same result that I get from my computer at the same time, irrespective of where we both are in the
Re: (Score:2)
See, you're making Paul's point better than he does! Even in his comment above, he just says that "All DNS responses issued by our DNS servers were absolutely factual in the policy they expressed." - which is in equal parts true, predictable, tautological and irrelevant to his own point.
Mod Paul's interpreter up.
Re: (Score:2)
So you're saying he should shut up and learn to like it?
Part of his point is, if we let it go this way, we'll lose the opportunity to do other nifty
This is a good opportunity to say... (Score:2)
Re: (Score:2)
They forcing you to use their servers?
Re: (Score:2)
Re: (Score:2)
OpenDNS is not the only choice.
Transparent DNS hijacking becoming more common (Score:2)
I don't know about his ISP, but there are ISPs out there that not only hijack NXDOMAIN queries, but also transparently hijack *all* DNS queries. DNSSEC may help, and anti-Kaminsky-spoofing may help, but it's basically evil.
Which Bell? Canada? South? Other? (Score:2)
I'm not saying there aren't lots of reasons to be upset with just about any phone company, but which one are you upset at?
Breaking the standards to implement policy (Score:4, Interesting)
Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.
Re: (Score:3, Informative)
Re: (Score:2)
"SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. "
Yes, of course. But I don't think you're understanding the point of SPF.
It's not just the URLS advertised in spam. If we have global SPF to the point where sending from a server not named in the SPF record is a useful indicator, wham, that will cut spam instantly as a side-effect.
First, because every spam sent from a botnet will be dropped because they're not SPF servers.
Second, because in a world where you can
Re: (Score:2)
SPF breaks forwarding. Oh, and SPF itself does nothing much to help stop spam.
CDNs are good thing (Score:4, Insightful)
While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.
Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
I suspect anycast would be a better method, honestly.
And you'd be completely, utterly wrong. I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".
This might be OK for simple DNS queries, but for actual web sites it is a True Path To Pain.
Re: (Score:2, Flamebait)
Re: (Score:2)
Re: (Score:2)
I don't know, how much does an anycast address cost? So much that Google or Akamai can't afford it? (Also, RR load balancing is a separate thing entirely.)
Regarding the CDNs, you didn't read the article did you; it is fundamentally flawed. The CDN does not choose a server based upon proximity to the endpoint, but rather to the recursive resolver through which the DNS request passed.
Anycast does exactly what you want.
Re: (Score:2)
Re: (Score:3, Informative)
He argues that the problem is, the client doesn't usually hit the DNS server, the clients DNS server only does after it expires its own local cache.
Just because your ISP's DNS servers are sitting in LA, doesn't mean you are. You could be on Seattle, and using those DNS servers, or out in the world, on the work VPN, using their DNS server in downtown Chicago. Thats how many people get around regional restrictions now, in fact.
People have shoehorned DNS into something that it is neither Efficient, or design
Re: (Score:2)
That might be the case in USA, but in other parts of world you're 99% of the time using DNS servers in your own country, which is pretty much the closest area CDN can have their things anyway. Yes you could use a vpn, have changed your dns servers and so on, but you're the minority case there, and even then it works normally, probably just not as efficiently as it could.
It is a completely different situation when you look it at the whole world view.
Re: (Score:3, Informative)
> For example, check out what www.google.com resolves to from different
> countries or even at different times - depending on where you look it up from
> and what network links are up, you will get a different set of IPs.
According to Google I spent the last two weeks of October jumping around between Japan, France, Spain, and Britain.
I never left Wisconsin. And no, I was not using Tor or a VPN or any such thing.
Re: (Score:2, Insightful)
I disagree.
Getting the wrong web page is not helpful. For example, go to Japan and look up some big name website, e.g. google.com and you get it localized into Japanese. I didn't want google.co.jp, I wanted google.com. How does DNS know what language I speak ?
Many, many times I tried to look up the website of a big American or European
The two examples don't seem anything alike ... (Score:5, Interesting)
Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.
What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.
His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.
Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.
Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.
Re:The two examples don't seem anything alike ... (Score:5, Insightful)
Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.
Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'
I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.
Re: (Score:2)
As the senior systems engineer for a website with points of sale all over the world but datacenters only in the U.S., and a heavy Akamai user, I can tell you that the amount of time for a 301 (requires tcp handshake and http headers) vs the time for DNS is nearly an order of magnitude, so it's a no-brainer to use DNS for this sort of thing.
Re: (Score:2)
It's only a no-brainer if you're ignoring other people's costs that result from your misuse of the DNS protocol.
Re: (Score:2)
The abuse being....a lower cache hit rate on caching DNS servers? We're talking about Akamai here, not wildcarding. DNS service just isn't that expensive to provide, and when you consider that ISPs actively encourage Akamai to have caching servers inside the cages on their head ends, I think the "more DNS queries" vs "lower upstream bandwidth usage and better latency for our customers" doesn't seem like a tradeoff they're complaining about.
Re: (Score:2)
Re: (Score:2)
Would anycast not be faster?
No. There would be problems with having to put that amount of upstream bandwidth in for all those website hosts. Maybe you think that that's practical and cost-effective, but that merely shows that you don't run a large, popular website and are unlikely to ever do so.
Re: (Score:2)
Sorry for the late response, but:
1. Anycast doesn't always work well for tcp.
2. Anycast means BGP, which means large blocks of IPs if you don't want to get filtered, which are hard to come by these days.
3. One major benefit of Akamai besides latency is decreased dependency on ISPs often flaky routing decisions; anycast would go the opposite way and increase this.
Re: (Score:2)
Title hardly makes for argument (note I wasn't the one throwing around the ad-homs here); I just wanted to point out that I was speaking from experience.
I don't understand how this is a problem with http...connecting tcp around the world takes an enormous amount of time compared to udp. That's just reality. Remember the issue here isn't what my servers can deliver, but rather latency, which is a function of the global network I don't control. Using Akamai for DNS allows me to use Akamai for midgress and
Re: (Score:2)
I'd like to see how you'd do that for RTSP, FTP, and any of the dozens of other internet protocols Akamai serves up...
News to me (Score:2, Interesting)
Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs from their graphical front end in order to do fancy "auto-completion." This means that during the typing time of a URI such as http://www.cnn.com/, the browser will have asked questions such as W, WW, WWW, WWW.C, WWW.CN, WWW.CNN, and so on. It's not quite that bad, since the browsers have a precompiled idea of what the top-level domains are. They won't actually ask for WWW.C, for example, but they are now asking for WWW.CN, which is in China, and WWW.CNN.CO, which is in Colombia.
Which browsers actually do this? Is Mozilla actually participating in that nonsense?
Re: (Score:2)
I hope so, otherwise I'm switching back to IE prompto.
Re: (Score:2)
> Is Mozilla actually participating in that nonsense?
No. I have no idea where Mr. Vixie got that misinformation, nor do I know why he's spreading it.
facts (Score:3, Interesting)
Interesting echo from FAQ [monotone.ca] which I read the other night. The original contains a lot of italic I'm not going to replicate.
The closer one lives to the foundation, the stronger the argument for a fact-based architecture. DNS is about as foundational as one can get in internet security. Interesting, the architecture of monotone is highly cryptographic, and somewhat reminiscent of DNSSEC from the 40,000 foot view.
The people who don't see the problem with mixing fact and policy are likely the same people who don't regard it as a big problem that your credit card numbers is widely distributed in plain text: to every vendor you do business with, many of their employees, the trash collectors out back, and their governing union.
Why is it that some guy on the GPS thread complained that the police are free to criminalize driving under the age of 18 (to collect more revenue) and effectively act as their own judge, jury, and executioner (in the corrupt towns where this practice becomes established), but there is generally less complaint about VISA architecting themselves the same powers?
If the police collected a 2% slice of gasoline revenues and awarded bonus points for trips to Hawaii in any year where you keep your license clear and generally found other clever ways to rebate unpenalized drivers the 2% (with enough hidden strings attached it doesn't ultimately cost them much), would they be as loved as the VISA company? Just asking.
Dan Ariely asks, Are we in control of our own decisions? [ted.com]
Turns out it depends on how you frame the question. If the question is: do you want the DNS system to become so badly abused it might as well have been designed by a bank, you might get one answer. If the question is: do you want DNS optimized so your porn streams with ten seconds less delay between clips, you probably get the other answer.
I vote for facts. That said, I will say one thing in defense of Akamai: one can construe CDN as a fact based system, if the factoids you are dealing in that "this IP address can deliver the content you want". Ideally, you already have a secure hash signature of the file you're seeking so it can't play too many games with the notion of "the file you want".
I don't see why DNS needs the facts to be so low level as "this is the same IP address everyone else gets for the same query". There could be a good reason, but Vixie's excellent article fell short of providing it.
Ideally, the CDN problem would have been solved with another layer of delegation: the content you are seeking can be obtained from a vast array of different places, here's an authoritative address for a highly overloaded server; if you're in a hurry go talk to xxx.xxx.xxx.xxx to find a location near you. Then the caching proxy can send a request with the header "I represent a client in the Pacific Northwest" rather than sending back to the client the name of the video store where client's attorney rents his own porn.
IP over DNS (Score:2)
DNS is also not an inventory system (Score:2)
I see too many organizations using DNS as an inventory system (e.g prtsertor01) resulting in host names more difficult to remember than IP addresses.
Come on now (Score:2)
When you have a thousand people, what should you name them?
He is absolutly right ! (Score:2, Interesting)
It all comes down to thrust. If my ISP changes the answers of the root server for non existing adresses how do I know they don't do it for other adresses, too ? And if they use something like deep packet inspection to select my DNS requests and redirect them to their server, it's actually a man in the middle attack. Also known as DSN spoofing and used by many criminals to collect all sorts of information.
Seriously, we have to stop taking crap from those return of investment and cash flow management idiots,
Re: (Score:2)
I bet you could do it in less than 200 lines of legible Perl.
Re: (Score:2)
But he has a point. DNS is very good at what it does, but when companies start mucking about with it, it's reliability becomes much more questionable. In the .com fiasco we had the DNS clearly abused with severe repercussions for general wide-scale network stability.
Where does one find this so-called philosophy ? (Score:2)
Besides in the dream world where you apparently live a great deal of your life ? I can see why you post as an AC.
Please... Stop... (Score:2)
Re: (Score:2)
Vixie didn't justify it - he acknowledged that it was a design flaw with no practical airtight fix besides DNSSEC - but he was one of the main players that coordinated the patches to get source port randomization, the best possible fix easily deployable, out there before the bug became public knowledge.
BTW have you ever met the man? I have.
Listen to this man! (Score:2, Informative)
I met Vixie some number of years ago in Vegas and
Re: (Score:2, Funny)
Mod parent down, Anonymous Coward is a know troll.
Re: (Score:2)
Given that his claims about Mozilla are flat-out false, I doubt that he actually did.