Hi, Thanks for Petr and Brian.
Brian Hartvigsen <bhartvig...@opendns.com>于2017年3月21日周二 上午3:34写道: >> For user privacy concern, we can revise ECS(114.240.0.0/24 >> <http://114.240.0.0/24>) => EIL (CHINA, BEIJING, UNICOM),give a >> tradeoff between privacy and precise. > > Nice, this sounds like appropriate tradeoff to me. > > > Side-effect of this is that it removes need to maintain copies of > various Geo-IP databases all over the place, which is an improvement to > operational practice. I disagree. Unless you get the clients to implement EIL, then you’ve simply just pushed the need for geo-ip mapping from CDN to DNS provider. Of course one would assume that an ISP already has this mapping, but 3rd party DNS would not. So either they have to build the mappings, maintain a copy of some Geo-IP database, or hope that all the clients have it implemented. With 3rd party DNS carrying double digit percentages of traffic (iirc ~15% total from 2015 OARC presentation), that’s not something to just brush away. *AUTH* ECS needs AUTH to do geo-ip mapping to decide most satisfied response. There is Geo-IP database on the AUTH which is supporting ECS. (ECS example figures: Which CDNs support edns-client-subnet? ) <https://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/> <https://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/> Therefore, if AUTH support ECS, the AUTH can support EIL too. *RECUR* <https://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/> Return to the origin smart-dns-resolution problem, there are two critical factors that affect the response accuracy of authoritative server: (details wrote in my *Paper <https://drive.google.com/open?id=0B5gNT4RRJ0xPaG9nZ045VXRrZzg>*) 1) Is the resolver's IP address close to the client's IP address? 2) Is the IP geolocation database used by the authoritative server with high quality? Public recursive resolvers offer free DNS resolution services for global users. But these servers are NOT CLOSE TO many users because the public recursive service providers COULDN'T deploy servers in every country and every ISP's network. That is why public recursive service provider starved of ECS, which carried client subnet to AUTH for geo-ip mapping. Therefore, public recursive resolvers INCREASE the seperated distance of client's IP and resolver's IP. Because on traditional ISP recurisve resolver side, ISP are nearby the client's IP. That is why I say the most recommend is P-Model, deploy EIL on public recursive resolver, to partly lighten the burden of AUTH (as Petr pointed), decrease the user privacy risk at PUB RECUR -> AUTH path. EIL deploy on I-Model (ISP recursive resolver) and L-Model (Local forwarding resolver) is in long-term, the most realistic nowadays is the P-Model (Public recursive resolver). By the way,if 3rd party public recursive DNS are carrying double digit percentages of traffic, there is a high probability that they have strong technologies and rich resources to do geo-ip mapping for their client queries. — Brian -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
