I think Colin just said everything I said, but in 1/10'th the words. And he posted before me. Drats.
--Patrick Darden -----Original Message----- From: Colin Alston [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2008 8:38 AM To: Joe Greco Cc: [EMAIL PROTECTED] Subject: Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Greco wrote: >> Unix machines set up by anyone with half a brain run a local caching >> server, and use forwarders. IE, the nameserver process can establish a >> persistent TCP connection to its trusted forwarders, if we just let it. > > Organizations often choose not to do this because doing so involves more > risk and more things to update when the next vulnerability appears. In > many cases, you are suggesting additional complexity and management > requirements. A hosting company, for example, might have 20 racks of > machines with 40 machines each, which is 800 servers. If half of those > are UNIX, then you're talking about 402 nameservers instead of just 2. [Customers] <--/UDP/--> [DNS Cache] <--/TCP/--> [DNS servers] Not so? Of course, one shouldn't let the rest of the internet touch your DNS Cache query interface... but that's just obvious. I mentioned this a while ago though, so I demand credit ;P Also, I think there is probably an IETF DNS WG list where this fits on topic (I have no idea what it may be though).