Re: [Add] [EXTERNAL] Re: My longer list of questions [from partial distribution at the MIC]

[Paul Ebersman <list-add@dragon.net>]

paul> I was thinking more along the lines of the pool.ntp.org model.

ebersman> NTP isn't nearly as latency sensitive, since it's designed to
ebersman> deal with this and it's not a human waiting for a page
ebersman> load. NTP also deals nicely with having multiple sources, some
ebersman> of which aren't good/accurate and still get to one answer.

paul> If you think DNS is latency sensitive, I can advise you to install
paul> an ad-blocker instead.

paul> Browers might think latency is the only useful metric for DNS, but
paul> it is not. It's as meaningful as horse power is on modern cars.

It's not always just ads and much of what ADD is all about is browser
usage, so it is relevant to this comparison.

And regardless of if you care about latency as the most important
metric, we're still talking about an NTP design trying to be rammed onto
a DNS design.

You'd started by talking about a replacement for the quadX anycasted
RDNS services. I'm curious how you think that maps to pool.ntp.org.

If you are talking about widely distributed anycast, whose address space
and infrastructure are you planning on using and who will deal with all
the peering to get the anycast announced?

If you're not talking about using one single pair of anycast v4 and pair
of v6 but using whatever local unicast addrs are available, how are you
getting it to clients? That's why I mentioned client OS changes. Unless
you're planning to try to get this into CPE routers? If you think the
browser will be doing it, how will the browser get said addrs and how
will a user see this and get a choice?

ebersman> There is a reason that there are a very limited number of
ebersman> large open recursive DNS services well anycasted, well
ebersman> distributed and well run. It's not because being centralizes
ebersman> was the primary goal; it's because it's expensive and
ebersman> difficult.

paul> Mostly due to UDP reflection/amplification attacks, which are not
paul> present if your open resolver runs with DNS COOKIES or TCP, which
paul> it will when using DoT or DoH. (note I am running an open resolver
paul> for the last 15 years. It does not see much downtime at all.

No. Mostly due to the expense of being in dozens of data centers around
the world to be sufficiently distributed, the cost or connections to get
all the IXs or transit providers to accept your BGP announcements of
your anycast and the staff to watch that 7x24. If you're not doing that,
you're not a valid comparis to the quadX folks at all.

So, love to hear how a pool.ntp.org clone would actually work for DNS
and be better than running a local resolver.