On 10/14/13 4:24 PM, "Paul Hoffman" <paul.hoff...@vpnc.org> wrote:
>On Oct 14, 2013, at 12:43 PM, Suzanne Woolf <wo...@isc.org> wrote: > >> I've really enjoyed reading the responses to this, > >+1 +1. The variety of responses have been both interesting and useful. > > >> and admit my own answer is (yet another flavor of) "It depends." > >That seems to be the median so far. As is mine (an "it depends" variation)... from an ideal perspective and being an advocate of DNSSEC, I'd like a DNSSEC-validating recursive resolver to be deployed as close as possible to the end user so that the potential for attackers to be in the path is as minimal as can be. In my truly ideal world I'd like that DNSSEC validation to be occurring within the operating system running on the user's computer or perhaps even in the application they are using. So on a macro level I definitely agree with comments here by Paul Vixie and others. That said, the answer really depends upon the quality of the IT staff and what you consider "average IT talents". I've seen any small organizations such as that described where the 2 IT people run all the servers, run the network infrastructure and provide great service to the users - and they should definitely run their own recursive resolvers. I've also seen other organizations where the 2 IT people are so buried in firefighting all their daily issues that they don't necessarily have the time, energy or knowledge to do more than keep up with virus issues, password resets or whatever other fires they are fighting. In those cases, even as simple as a recursive resolver would be to operate the cases where there are problems would be more than the IT staff couple truly handle - and they would look to outsource that to the ISPs resolver (or Google or OpenDNS). And in all honestly the users might be safer with that outsourced DNS resolver. On a strategic level, I don't like this second answer... but I understand *why* it might be appropriate for some small organizations. >> I'm wondering what motivated the question, particularly in such a >>generic form. > >In various discussions on different DNS-related topics, some people have >said that "obviously" everyone should have a resolver at X, where X had >wildly different values. I thought it would be useful to create a >"typical" use case and see if X converged in a community such as this. > >It didn't. That's a useful data point for people creating other protocols >who have to listen to commenters who say where resolvers need to be. Thanks for stimulating the discussion. Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org <mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org <mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/ _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
