On Tuesday 11 Jul 2006 13:40, you wrote:
Client sites with dedicated recursers are going to be presented with a challenge: if their servers use the recursers, then will they set up a parallel set of caching forwarding recursers for desktop-to-OpenDNS use, or will they simply let OpenDNS be their default resolver for desktops? (etc) What happens if/when OpenDNS gets too busy, or fails, or goes TU?
Fortunately BIND does a "forward first" option. But of course then the view of the DNS will change when the remote servers are busy :( A bigger issue I haven't thought through is the site encourages forwarding, which is notorious in the DNS world for causing poisoning issues. Although presumably if their DNS implementation itself is perfect, that may not raise issues, it makes me nervous.
I have not been convinced that coherence is a property that *must* be maintained within the DNS, though I see certain portions that must obviously remain coherent.
But can you define a mechanical rule to identify if an A record belongs to the set of A records that must remain coherent, so that they never get modified by such a scheme? The advantage of things like relay block lists is the effect is limited in scope -- I won't talk to that email server because -- and the errors and conditions that result are small, but as soon as you return an "untrue" answer for an A record you have no way of knowing how much of the Internet you just lost name resolution from, because you can't know for sure that it isn't the delegated name server for an important domain. Sure this may reflect bad design decision in the DNS from olden days, but it is the reality of the Internet that servers with names like "hippo.ru.ac.za" play a crucially important role, and unless you happen to know what that role is, you can't assess the importance of that A record (okay that one was an easy one).