Re: [DNSOP] definitions of "public DNS Service"
dagon <dagon@sudo.sh> Sat, 23 May 2020 01:32 UTC
Return-Path: <dagon@sudo.sh>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26CA73A0D57 for <dnsop@ietfa.amsl.com>; Fri, 22 May 2020 18:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQFPzZQx2z5M for <dnsop@ietfa.amsl.com>; Fri, 22 May 2020 18:32:14 -0700 (PDT)
Received: from sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id AF3F03A0D56 for <dnsop@ietf.org>; Fri, 22 May 2020 18:32:14 -0700 (PDT)
Received: by sudo.sh (Postfix, from userid 1000) id 5C305389EF0; Sat, 23 May 2020 01:32:12 +0000 (UTC)
Date: Sat, 23 May 2020 01:32:12 +0000
From: dagon <dagon@sudo.sh>
To: George Michaelson <ggm@algebras.org>
Cc: dnsop WG <dnsop@ietf.org>, George Kuo <george@apnic.net>
Message-ID: <20200523013212.GA10996@sudo.sh>
References: <CAKr6gn0Fqk0qNCs5wbptN+rWRBQgBKom4iiudW0V1Xrj3fmE7Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKr6gn0Fqk0qNCs5wbptN+rWRBQgBKom4iiudW0V1Xrj3fmE7Q@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7bX8goN3ifMbysiNWWe6OKlqqYE>
Subject: Re: [DNSOP] definitions of "public DNS Service"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2020 01:32:17 -0000
On Fri, May 22, 2020 at 10:55:34AM +1000, George Michaelson wrote: > My Colleague George Kuo asked me for definitions of public DNS > service. not "public DNS" but the trigram "public DNS service" Is there room for this bike: 1) Policy: A "public DNS service" is a full DNS speaker outside of the end user's network and control. I.e., non-local recursion crosses one or more policy barriers---local network, carrier, state and international---with implications for integrity, resolution security, and privacy. For some enterprises, recursion against 'public DNS services' creates an audit criticism. A poorly selected public resolver may import censorship. Or a well selected resolver may evade (older) regional media controls by suggesting false locality to a media server, for those services unwilling to impose policy regional controls in their TCP multiplex. Given these explicit choices and surprise outcomes, "crossing policy barriers" is a fair partial description. 2) Latent RRsets requiring protocol changes. Public DNS servers are the most distant commercially viable DNS iterator from the end user. Resolvers mitigate distance-induced latency via anycasting and robust provisioning. Suboptimal RRset selections required fundamental protocol changes---e.g., exposing local octets to the iterative layer---accommodate what remains. (And hats off to the Tor exit nodes offering on-exit recursion, and injecting RFC 1918 addresses into the ECS payload.) "Distant" is a fair description. Users pay for this distance, in either latency, privacy, or protocol changes. 3) "Free with footnotes". No good deed goes unmonetized. Users should understand the trade offs in selecting a non-local resolver. The term "public" obscures stake holder interests. I suggest: "distant resolver outside of the user's policy oversight". -- David Dagon dagon@sudo.sh D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717
- Re: [DNSOP] definitions of "public DNS Service" George Michaelson
- Re: [DNSOP] definitions of "public DNS Service" Davey Song
- Re: [DNSOP] definitions of "public DNS Service" George Michaelson
- Re: [DNSOP] definitions of "public DNS Service" Joe Abley
- Re: [DNSOP] definitions of "public DNS Service" Paul Vixie
- [DNSOP] definitions of "public DNS Service" George Michaelson
- Re: [DNSOP] definitions of "public DNS Service" Andrew Campling
- Re: [DNSOP] definitions of "public DNS Service" Tony Finch
- Re: [DNSOP] definitions of "public DNS Service" Bill Woodcock
- Re: [DNSOP] definitions of "public DNS Service" dagon
- Re: [DNSOP] definitions of "public DNS Service" Paul Vixie
- Re: [DNSOP] definitions of "public DNS Service" Bill Woodcock
- Re: [DNSOP] definitions of "public DNS Service" Vittorio Bertola
- Re: [DNSOP] definitions of "public DNS Service" Paul Vixie
- Re: [DNSOP] definitions of "public DNS Service" George Michaelson