Sitefinder II, the sequel...

Simon Waters simonw at
Tue Jul 11 13:33:55 UTC 2006

On Tuesday 11 Jul 2006 13:40, you wrote:
> Client sites with dedicated recursers are going to be presented with a
> challenge:  if their servers use the recursers, then will they set up
> a parallel set of caching forwarding recursers for desktop-to-OpenDNS
> use, or will they simply let OpenDNS be their default resolver for
> desktops?  (etc)  What happens if/when OpenDNS gets too busy, or fails,
> or goes TU?

Fortunately BIND does a "forward first" option. But of course then the view of 
the DNS will change when the remote servers are busy :(

A bigger issue I haven't thought through is the site encourages forwarding, 
which is notorious in the DNS world for causing poisoning issues. Although 
presumably if their DNS implementation itself is perfect, that may not raise 
issues, it makes me nervous.

> I have not been convinced that coherence is a property that *must* be
> maintained within the DNS, though I see certain portions that must
> obviously remain coherent.

But can you define a mechanical rule to identify if an A record belongs to the 
set of A records that must remain coherent, so that they never get modified 
by such a scheme?

The advantage of things like relay block lists is the effect is limited in 
scope -- I won't talk to that email server because -- and the errors and 
conditions that result are small, but as soon as you return an "untrue" 
answer for an A record you have no way of knowing how much of the Internet 
you just lost name resolution from, because you can't know for sure that it 
isn't the delegated name server for an important domain.

Sure this may reflect bad design decision in the DNS from olden days, but it 
is the reality of the Internet that servers with names like "" 
play a crucially important role, and unless you happen to know what that role 
is, you can't assess the importance of that A record (okay that one was an 
easy one).

More information about the NANOG mailing list