On Fri, Dec 05, 2008 at 09:22:39AM -0500, Keith Moore wrote: > > but you're really missing the point, which is that DNS fails a lot. > > note that DNS failures aren't all with the authoritative servers - > they're often with caches, resolver configuration, etc. Before the thread degenerates completely into "DNS is not reliable", "Is too" pairs of messages, I'd like to ask what we can do about this. It seems to me true, from experience and from anecdote, that DNS out at endpoints has all manner of failure modes that have little to do with the protocol and a lot to do with decisions that implementers and operators made, either on purpose or by accident. I anticipate that the gradual deployment of DNSSEC (as well as various other "forgery resilience" techniques) will expose many of those failures in the nearish future. This suggests to me that there will be an opportunity to improve some of the operations in the wild, so that actually broken implementations are replaced and foolish or incompetent administration gets corrected, if only to get things working again. It'd be nice if we had some practical examples to analyse and for which we could suggest repairs so that there would be a convenient cookbook-style reference for the perplexed. If you have a cache of these examples, I'd be delighted to see them. A -- Andrew Sullivan ajs@xxxxxxxxxxxx Shinkuro, Inc. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf