On Monday, December 28, 2015 09:43:01 AM Olafur Gudmundsson wrote: ...> In 1999 or 2000 we started seeing LoadBalancers that returned NXDOMAIN for > any query other than A for a name. At the time the bind-9 team argued about > what to do, I still think that the behavior selected was the wrong one i.e. > ignore NXDOMAN for AAAA query and ask for A.
i agreed with you and still do. the operators consuming BIND9 didn't and still don't. > IMHO a resolver that does not like the answers it is getting from a > authority has full right to stop trying to find the answer and return > SERVFAIL. I understand that operators of said resolver will get complaints > that important cat pictures are unavailable,…… i would love it if operators would want the best long term outcome, and would tolerate short term pain in order to inflict tough love elsewhere in the economy. however, just as comcast didn't like being the only operator whose DNSSEC validation was causing nasa.gov not to resolve during a high-profile landing on some asteroid somewhere, it's also the case that no operator can afford to take phone calls and trouble reports from large numbers of customers at once. > I think for all practical purposes this situation is a great example of the > “Prisoners Dilemma” as there is no way to educate the people writing the > crap software as they are insulated by multiple layers of protection. i agree with this analysis. arguably, the moment we all agreed that DNSSEC's only purpose was to cause more resolution failures more often for more and new reasons, we ought to have said it can't be deployed and shouldn't be designed at all. i'm glad we did the foolish thing and kept going, though. -- P. Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
