| Ah, see. Now we're getting somwhere. But what about load balancing and CDN's? DNS was not designed for those purposes. What if users are not completely ignorant of the geographical locations of the IP addresses they choose to store and use, and if we allow them to make their own choices? Determining which is the closest server or the most responsive is not rocket science. A good HOSTS file coupled with a good local cache is in my experience faster than any DNS service. But it's relatively rare to see users setting themselves up this way. My guess is that is not due to difficulty, it's due to ignorance. Maybe even peer pressure. The "experts" will tell you to use a shared cache, exposing you to all manner of security flaws. Ask yourself how many lookups the average user makes in a day to the DNS? How many of those lookups are for the same sites, day after day? How many times do the IP addresses for these sites actually change? Finally, ask yourself how many of those lookups are for IP addresses not attached to any website you will ever visit (i.e., they are for serving advertisements, behavioural tracking elements, etc). You can also restrict queries only to authoritative servers.
This is something I threw together as an exeriment. For me, it works beautifully. Then the "experts" will tell you we need DNSSEC, to counter the problem posed by using shared caches. The impetus for its resurgence is the use of shared caches and "cache poisoning". Do we have to use shared caches? No. DNSSEC has become like security theater - the simple fact is that no one is accountable for the information in the current DNS except the site owners themselves. All the DNSSEC proponents can do is pray that more people will start using it. It's a cash cow for some consultants. The other simple fact is that the most important TLD servers do not change IP addresses very often. They are more or less static. Anyone can download a copy of those numbers and store it. Does it matter if each individual record is signed? It only matters if you like to do recursion. Maybe what matters more is that the file you download is itself signed. For the DNSSEC system to work, to restore some confidence in shared caches (which may potentially be censored by SOPA-like legislation), the most important people who need to use DNSSEC are the authoritative servers for the websites themselves. Will they undertake this? Weighed against the triviality and increased security to the user of using a local cache and HOSTS file, thereby avoiding cache poisoning altogether, is anyone going to bother with learning DNSSEC? DNSSEC is a huge burden. Unless of course you offload responsibility to someone else. Cha ching. But no one is going to be more secure using something they delegate to someone else and cannot themselves understand. To someone who wants to learn, I can explain a HOSTS file and how to do non-recursive lookups much easier than I can explain DNSSEC. We have wider acceptance of EDNS. And there are people advocating TCP. Obviously some people really want DNSSEC to take off. Why? If the Internet can handle the load of EDNS and TCP, all for a simple number lookup that otherwise fits in 512 bytes and requires no connection setup/breakdown, querying authoritative servers instead of doing the inherently insecure recursion routine with other people's caches is not going to bring the Internet to its knees. algoshift, you are absolutely correct. Decentralisation is the way to go and, imo, is in the true spirit of the Internet. |