RFC 2182 considered harmful

["D. J. Bernstein" <djb@cr.yp.to>]

Consider a typical department network or small company network with two
independent DNS servers, no offsite machines, and no child domains.

RFC 2182 strongly recommends replacing one of the DNS servers with a
third-party DNS server. This recommendation is, to put it simply, wrong.
The costs outweigh the benefits.

RFC 2182 points to the extra DNS packets required to try and retry
inaccessible servers. But it

   * ignores the useless TCP SYN packets that would have been generated
     if the DNS lookup had succeeded;

   * ignores the effect of DNS failure caching, which it incorrectly
     claims does not exist; and

   * ignores the extra traffic required by third-party zone transfers.

The total effect of RFC 2182's recommendation is to _increase_ Internet
traffic. Anyway, the numbers in both directions are extremely small.

RFC 2182 also claims, without giving specifics, that some clients do not
produce ``desirable'' results when DNS lookups fail. But any such client
is clearly buggy, and won't survive in the marketplace---what do you
think happens when the _client's_ network is inaccessible? The idea of
100% DNS lookup success doesn't stand up to a moment's scrutiny.

Finally, RFC 2182 says that some hosts may be on a different network.
This is true for large sites and high-level servers, but in those cases
the sysadmin can set up one server on each network without wasting time
on third-party service. For department networks it's rarely true.

RFC 2182 has frightened many administrators into obtaining unnecessary
third-party DNS service. It says that this ``must'' be done and that it
is ``important'' and that the alternative---which it admits is easier
for administrators---is ``not a good policy''; but these bold claims are
not justified by the facts.

RFC 2182 should be revised to give an accurate statement of the costs
and benefits of third-party DNS service.

---Dan