Patrick writes:
I'm not going to use the service either, but for different reasons than you state. And it does have "many of the same flaws" as Sitefinder.
Yes, it does. However, many of those flaws revolve around servers being forced to opt in to the (original) Sitefinder; it should be clear that you do not want servers participating in this, and you have the option to make it so. Regardless, this may create some operational challenges - both for client sites and for OpenDNS. I note with some amusement that their home page says "22,340,882 DNS requests", which is a trivial number of requests. Obviously anycast will help the service scale in the traditional manner, but depending on the amount of "smart" they're trying to do, they could be adding a lot of work to the process of handling errors (fortunately they seem to be doing nothing significant at the DNS level). I think of the sheer volume of bogus traffic at the roots, for example. Client sites with dedicated recursers are going to be presented with a challenge: if their servers use the recursers, then will they set up a parallel set of caching forwarding recursers for desktop-to-OpenDNS use, or will they simply let OpenDNS be their default resolver for desktops? (etc) What happens if/when OpenDNS gets too busy, or fails, or goes TU? DNS was designed to be a distributed network for name resolution. The whole concept of OpenDNS, while clever, seems to violate - at least somewhat - the spirit behind DNS. Taken to the extreme, every desktop on the planet would be pointed to their servers, and at that point, we essentially have something resembling a centralized host file database server. We'll effectively have eliminated the distributed caching recurser network, and be left only with the authoritative server tree, which would be better integrated into OpenDNS too at that point. Of course, we're not likely to see anywhere near 100% penetration of OpenDNS...
But Sitefinder had only one fatal flaw: The Lack Of Choice.
Obviously that flaw is not shared.
It is merely replaced with another (others?). I believe Paul Vixie was just recently reminding people about DNS coherence in the thread "DNS Based Load Balancers", and I expected to see that objection show up here right away. I have not been convinced that coherence is a property that *must* be maintained within the DNS, though I see certain portions that must obviously remain coherent. I've written DNS based load balancers in the past, which worked very successfully for their intended application, so my views may be mildly slanted. I would be curious to know exactly how invasive this is into the system, and what sorts of things are done. I did do some poking at their resolver with some queries, and here's what I noticed. Name: www.sol.net Address: 206.55.64.128 Name: www.sol.nte Address: 208.67.219.40 okay, that makes sense
www.<someofflinedomain>.com. *** Request to resolver1.opendns.com timed-out
okay, that's fine (domain has inaccessible NS's) but this: Name: doesnotexist.sol.net Address: 208.67.219.40 bothers me. It almost looks like their "magic technology" was to take nonexistent results and replace them with their web redirector. I don't *think* the original Sitefinder behaved like that for delegated domains, though I really cannot recall the exact effect of a wildcard in this case. There are still numerous security risks associated with losing final control over your namespace, and there is also the attractiveness factor for crackers - it'd be a really scary thing to have a lot of people using this and then have a cache entry for a major bank get corrupted or inserted maliciously.
Of course, everyone should feel free to espouse their opinions on the service, and use it or not, and try to persuade others to use it or not. But just like any other service, software, protocol, or other _optional_ choice in running your network (or home computer), we will just have to let the market decide. Chances are, there's enough Internet to go around for everyone, whether they use the service or not.
Well, it may not be perfect, but it is at least a "Sitefinder done (more) right" than the last spectacle. I have my reservations. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.