[AusNOG] Google DNS

Andree Toonk andree at bgpmon.net
Wed Oct 15 03:36:53 EST 2014 

.-- My secret spy satellite informs me that at 2014-10-14 8:59 AM  Mark
Delany wrote:

On 13Oct14, Andree Toonk // BGPmon.net allegedly wrote:
>
> > The issues with Open Resolvers and  Geo location & CDN's has been solved
> > while ago
>
> Lemme see...
>
> a) Public caches insist on white-listing auths prior to sending
>    edns-client-subnet. Obviously white-listing is not an
>    internet-scale solution. I presume they intend to turn off
>    white-listing some time in the distant future once they determine
>    that sending this option is universally safe.
>


Ack. But since we were talking about CDN issues. There's only a finite
number of CDN's. All large ones are participating. It's not perfect but
they solved this particular problem.


> b) The last version of the specification expired over 9 months ago and
>    seems not to have gained traction within any IETF standardization
>    group.
>

But all major CDNs support it anyways as they all agree that this is a
problem that needs to be solved since they number of users behind Open
Resolvers is significant.


>
> c) Many OS and commercial auth and cache implementations do not offer
>    this option as a standard part of their implementation even though
>    the spec has been around for a number of years - thus participation
>    is pretty constrained.
>
>
See B


> d) Technically there is some question about whether the necessary
>    narrowing of the privacy mask will dilute the privacy effect as the
>    v4 address space gets divided into ever smaller allocations. A
>    glitch I only recently stumbled across myself.
>

Most folks set it to a /24 (I know OpenDNS does). Which works fine in 99%
of the cases.


>
> You could argue that the population of Open Resolvers and CDNs is
> small and they all know each other, but GEO location is consumed by
> many others besides the large CDNs providers and an increasing number
> of ISPs and corps place their caches in a hierarchy behind public
> caches.
>
> That's not to say edns-client-subnet is a bad idea, but it's drawing a
> rather long bow to say it was "solved" a while ago.
>

It was solved for CDN's and Open Resolver operators which is what this
discussion was about.

Cheers,
 Andree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141014/eabd2236/attachment.html>

More information about the AusNOG mailing list