On Oct 15, 2013, at 4:58 PM, Paul Hoffman <[email protected]> wrote:
> On Oct 15, 2013, at 1:36 PM, Jared Mauch <[email protected]> wrote: > >> On Oct 15, 2013, at 2:12 AM, Peter Koch <[email protected]> wrote: >> >>> sure. Yet another instance of "the DNS people have said ...". Come on. >> >> This is akin to asking the founding member of the local mercedes car club >> what sort of car you should get. :) >> >> <sarcasm>Is there something wrong with this?</sarcasm> > > It could have been, but the responses were a few on one pole, a few on the > other, and a lot of "it depends". Some of the "it depends" responses leaned > in one direction, but some leaned in the the other. And I don't think anyone > said "Mercedes"... Have you ever driven one? They are mighty nice :) Back in the 90's I would agree everyone should run a DNS server as the network wasn't as robust as it is today. Some folks may need local elements (e.g.: MS DNS/AD, but these should not be exposed to the internet. They lack the ability to scope responses based on the query source to prevent them being global open resolvers. They are just fine for behind a firewall/NAT to take stub queries and meet the internal IT needs. Everyone else should just use either their ISP (with NXDOMAIN rewriting turned off) or someone like OpenDNS that can help enforce some security policies and practices with a few knobs being turned at most. Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the majority of the time. The vast majority of others are going to set things up once and it *will* be left to rot. This isn't intentional, but it naturally happens. - Jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
