From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vb0-f43.google.com (mail-vb0-f43.google.com [209.85.212.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id DD10720221E for ; Mon, 20 Aug 2012 13:14:38 -0700 (PDT) Received: by vbbfq11 with SMTP id fq11so14388834vbb.16 for ; Mon, 20 Aug 2012 13:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nND6hV0/JO4uMamrbh+Y6S/65GUAzhJLp2CD/VmIDaE=; b=MeQW/GysTY5noYy79FGScw9Vkb6aQCS7+D6YWsCKB00fzTUOZWnSxuXhOeCQi5AwnW QPhilvEytdDhrd2z37SMA/uuFAOfC87QFxaojcmbbE/2S3obGPBPin34RD3L8EUTUMsF GVUdE4Cf70zDm+5VUDH5fsrN+jxNvaIYBFVvkAD481iPcJ4fF07Li+FhlttM+bbShiU/ 0W3EwmYrn88vwTDY+w2IdJuTiSNG1sp5VCcuUe/6GP/zujnVcqFtFwBOS/48c7aGSoR6 yyZI/ISmLRjeSiOXZmMIOprPIsN0n7rigIhbZdMJHjP7UwX6pNxX7iFPqcfKxMqNNfp0 ZcyA== MIME-Version: 1.0 Received: by 10.220.39.206 with SMTP id h14mr11343526vce.63.1345493677862; Mon, 20 Aug 2012 13:14:37 -0700 (PDT) Received: by 10.58.207.131 with HTTP; Mon, 20 Aug 2012 13:14:37 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 Aug 2012 13:14:37 -0700 Message-ID: From: Evan Hunt To: George Lambert Content-Type: text/plain; charset=ISO-8859-1 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 20:14:39 -0000 > *** the following is mean to be an "opinion for discussion - not intended to > cause friction.' *** Same here. I have parental affection for BIND, but if something else does a better job of making the internet better, then something else ought to win. > It is my opinion that - BIND9 should not be the only default install option, > and there should probably be an either or choice DNS Security / or > (Memory + Processor + Name Resolution Speed). > > I would agree that there is value in DNSSEC - for people who want it, but > I believe that it should be optional due to the substantial performance > penalty that comes from the combination of extra cpu and memory to run > BIND9 - for those who do not expect DNSSEC, or see value in it. > > 3 years from now when the demand for DNSSEC may be higher - > routers will have substantially more compute and memory, but today > both of those are critical components in the overall solution. I sort of agree and sort of don't. If I'm designing for the commonplace CPE of 2012, yeah, I'm probably not going to want BIND. But I hope for cerowrt to blaze the trails people will be following three years from now. By then, not only will we have beefier routers to run name servers on, but there'll probably be more choices of name servers that support the necessary feature set. Taking the memory hit to run BIND now lets us learn lessons about how to deal with home-network naming in a DNSSEC-enabled world while the stakes are still relatively low. I like your idea of having multiple options and making the tradeoffs explicit though. Evan