To:
dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
4 Feb 2000 05:18:04 -0000
Sender:
owner-dnsop@cafax.se
Subject:
RFC 2182 considered harmful
Consider a typical department network or small company network with two independent DNS servers, no offsite machines, and no child domains. RFC 2182 strongly recommends replacing one of the DNS servers with a third-party DNS server. This recommendation is, to put it simply, wrong. The costs outweigh the benefits. RFC 2182 points to the extra DNS packets required to try and retry inaccessible servers. But it * ignores the useless TCP SYN packets that would have been generated if the DNS lookup had succeeded; * ignores the effect of DNS failure caching, which it incorrectly claims does not exist; and * ignores the extra traffic required by third-party zone transfers. The total effect of RFC 2182's recommendation is to _increase_ Internet traffic. Anyway, the numbers in both directions are extremely small. RFC 2182 also claims, without giving specifics, that some clients do not produce ``desirable'' results when DNS lookups fail. But any such client is clearly buggy, and won't survive in the marketplace---what do you think happens when the _client's_ network is inaccessible? The idea of 100% DNS lookup success doesn't stand up to a moment's scrutiny. Finally, RFC 2182 says that some hosts may be on a different network. This is true for large sites and high-level servers, but in those cases the sysadmin can set up one server on each network without wasting time on third-party service. For department networks it's rarely true. RFC 2182 has frightened many administrators into obtaining unnecessary third-party DNS service. It says that this ``must'' be done and that it is ``important'' and that the alternative---which it admits is easier for administrators---is ``not a good policy''; but these bold claims are not justified by the facts. RFC 2182 should be revised to give an accurate statement of the costs and benefits of third-party DNS service. ---Dan