On 27 Nov 2017, at 14:47, Richard Barnes <r...@ipv.sx> wrote: > As tempting as it may be to do the easy thing, it's not always the best use > of resources. Looking at the closest tree might be easy for one observer, > but when you try to do it with enough observers to have a result that's > useful for the King of the Jungle, you end up with similar tangles. > > I don't think that it make sense to infer from the failure of RFC 8145 that > resolver/authoritative telemetry isn't possible -- just that it's not > possible with the heavy-weight machinery in that mechanism. To the degree > that the DNS still works at all, there must be some channel by which > information can be faithfully passed from authoritative to resolver, which > can presumably be used to bootstrap telemetry. Maybe it's a TXT record with > an HTTP URL; maybe it's a funny CNAME.
In the case of the root zone, the additional complications include the procedural difficulty in installing experimental records in the zone itself, the amount of effort which has gone into reducing legitimate reasons for resolvers to send queries to the root servers at all, e.g. through the use of aggressive negative caching and even the TTLs on delegation NS sets, and the effort required to do data collection on the root servers, whose twelve operators manage many hundreds of instances. The existence of caching (and the degree to which people take liberties with what they can or should cache) also adds complication, not all of which is deterministic. Although it is intuitively obvious that collecting data from millions of end-users is harder than collecting data on hundreds of root server instances, it turns out that there is a whole industry that more or less exists to collect data from end-users already and no corresponding mechanism for authority servers. Also counter-intuitively, some root server operators view the traffic they receive as containing PII whilst the privacy concerns with kskroll-sentinel seem benign. When it comes down to it, you can more often rely upon an end-user's query being sent and a response being generated by a recursive server than you can rely upon queries and responses being exchanged within a (potentially complex) graph of resolvers and authority servers. That potential complexity means that understanding whatever data you do collect can be difficult. > Maybe you can't build a road through the jungle, but there are still rivers > that make it through, which can carry a message in a bottle. You might see a river go in and a river come out and be tempted to assume that the bit in the middle is river-shaped, or that the two parts you can see are connected, but you won't always be right. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
