From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vb0-f43.google.com (mail-vb0-f43.google.com [209.85.212.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 0A19E200A76 for ; Mon, 20 Aug 2012 13:23:02 -0700 (PDT) Received: by vbbfq11 with SMTP id fq11so14412055vbb.16 for ; Mon, 20 Aug 2012 13:23:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/vpwLzr3tHSNkujeN1oGYR0VurXZ3jzVV8ipY6gxdrE=; b=u2eXIBWcUYdmwBfV8d1hqPNrgTSswd/eQZr6JQAAl8QwiCkYI3am4SB5pRtz0Ked8y 4EF5b4Rjv7XgeiRKfboIXEZeJ5v309itz9bLprOwmuvYJUdhHYn6Y0a0sFCHg5TxnSUk aL+1ynZOfoyyV4TMYKXP+NILtkB8cyqVfFRLNCRhCeHBTC2Qtzw1oESH1ogLc70GYEnc N7Fzjt4IGuZ8CPBbjfCw4Dxzo7HFi+wGXbIE1wNpwC4e736oNPBk0oPDBlKG9cUVvt4z 7JUKrndrmcIa9HKRr8nvHiJdZ0j0+sVixN/LiowfDe+sFW372Q5t1MKUg1LRngNQ6A0X ChIQ== MIME-Version: 1.0 Received: by 10.52.18.143 with SMTP id w15mr9633026vdd.28.1345494181989; Mon, 20 Aug 2012 13:23:01 -0700 (PDT) Received: by 10.58.231.234 with HTTP; Mon, 20 Aug 2012 13:23:01 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 Aug 2012 16:23:01 -0400 Message-ID: From: George Lambert To: Evan Hunt Content-Type: multipart/alternative; boundary=bcaec502d4e4c3cd2d04c7b84680 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 20:23:03 -0000 --bcaec502d4e4c3cd2d04c7b84680 Content-Type: text/plain; charset=ISO-8859-1 Thank You for the response. There may be benefit to a common UI configuration layer for DNS in the router that has a checkbox for [ ] DNSSEC - that transparently swaps out the DNS Server for the end user - and could deliver the best of both worlds today. Most of the DNS Configuration Options in the UI could be abstracted out to write the correct configuration files for the DNS solution of your choice, and we could remove the integration detail to scripts that process the UI settings and control the appropriate Start / Stop Scripts. It would take a small piece of MiddleWare called by the UI that can take **any** plugin solution that could be put into the Apps Package List This basic design principal might be useful in other areas of the router UI as well, since there are probably a lot of "Swap This For That" options that will be useful over the long term. That probably deserves more thought. G. On Mon, Aug 20, 2012 at 4:14 PM, Evan Hunt wrote: > > *** the following is mean to be an "opinion for discussion - not > intended to > > cause friction.' *** > > Same here. I have parental affection for BIND, but if something else > does a better job of making the internet better, then something else > ought to win. > > > It is my opinion that - BIND9 should not be the only default install > option, > > and there should probably be an either or choice DNS Security / or > > (Memory + Processor + Name Resolution Speed). > > > > I would agree that there is value in DNSSEC - for people who want it, but > > I believe that it should be optional due to the substantial performance > > penalty that comes from the combination of extra cpu and memory to run > > BIND9 - for those who do not expect DNSSEC, or see value in it. > > > > 3 years from now when the demand for DNSSEC may be higher - > > routers will have substantially more compute and memory, but today > > both of those are critical components in the overall solution. > > I sort of agree and sort of don't. If I'm designing for the > commonplace CPE of 2012, yeah, I'm probably not going to want BIND. > But I hope for cerowrt to blaze the trails people will be following > three years from now. By then, not only will we have beefier routers > to run name servers on, but there'll probably be more choices of name > servers that support the necessary feature set. Taking the memory hit > to run BIND now lets us learn lessons about how to deal with > home-network naming in a DNSSEC-enabled world while the stakes are > still relatively low. > > I like your idea of having multiple options and making the tradeoffs > explicit though. > > Evan > -- P THINK BEFORE PRINTING: is it really necessary? This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without approval. If received in error, contact the sender and delete them. --bcaec502d4e4c3cd2d04c7b84680 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thank You for the response.=A0

There may be benefit to a= common UI configuration layer for DNS in the router
that has a c= heckbox for [ ] DNSSEC - that transparently swaps out the DNS Server
for the end user - and could deliver the best of both worlds today.=A0=

Most of the DNS Configuration Options in the UI c= ould be abstracted out to write
the correct configuration files f= or the DNS solution of your choice, and we could=A0
remove the integration detail to scripts that process the UI settings = and control
the appropriate Start / Stop Scripts.=A0
It would take a small piece of MiddleWare called by the UI tha= t can take **any**=A0
plugin solution=A0that could be put into the Apps Package List=A0

This basic design principal might be useful in other a= reas of the router UI as=A0
well, since there are probably a lot = of "Swap This For That" options that will
be useful over the long term.=A0

That probabl= y deserves more thought.=A0

G.




On Mon, Aug 20= , 2012 at 4:14 PM, Evan Hunt <ethanol@gmail.com> wrote:
> *** the following is = mean to be an "opinion for discussion - not intended to
> cause friction.' =A0***

Same here. =A0I have parental affection for BIND, but if something el= se
does a better job of making the internet better, then something else
ought to win.

> It is my opinion that - BIND9 should not be the only default install o= ption,
> and there should probably be an either or choice DNS Security / or
> (Memory + Processor + Name Resolution Speed).
>
> I would agree that there is value in DNSSEC - for people who want it, = but
> I believe that it should be optional due to the substantial performanc= e
> penalty that comes from the combination of extra cpu and memory to run=
> BIND9 - for those who do not expect DNSSEC, or see value in it.
>
> 3 years from now when the demand for DNSSEC may be higher -
> routers will have substantially more compute and memory, but today
> both of those are critical components in the overall solution.

I sort of agree and sort of don't. =A0If I'm designing for th= e
commonplace CPE of 2012, yeah, I'm probably not going to want BIND.
But I hope for cerowrt to blaze the trails people will be following
three years from now. =A0By then, not only will we have beefier routers
to run name servers on, but there'll probably be more choices of name servers that support the necessary feature set. =A0Taking the memory hit to run BIND now lets us learn lessons about how to deal with
home-network naming in a DNSSEC-enabled world while the stakes are
still relatively low.

I like your idea of having multiple options and making the tradeoffs
explicit though.

Evan



-- P THINK BEFORE PRINTING: is it really necessary?

This e-mail and i= ts attachments are confidential and solely for the
intended addressee(s)= . Do not share or use them without approval. If received in error, contact = the sender
and delete them.
--bcaec502d4e4c3cd2d04c7b84680--