[Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release

Evan Hunt ethanol at gmail.com
Mon Aug 20 16:14:37 EDT 2012

> *** the following is mean to be an "opinion for discussion - not intended to
> cause friction.'  ***

Same here.  I have parental affection for BIND, but if something else
does a better job of making the internet better, then something else
ought to win.

> It is my opinion that - BIND9 should not be the only default install option,
> and there should probably be an either or choice DNS Security / or
> (Memory + Processor + Name Resolution Speed).
> I would agree that there is value in DNSSEC - for people who want it, but
> I believe that it should be optional due to the substantial performance
> penalty that comes from the combination of extra cpu and memory to run
> BIND9 - for those who do not expect DNSSEC, or see value in it.
> 3 years from now when the demand for DNSSEC may be higher -
> routers will have substantially more compute and memory, but today
> both of those are critical components in the overall solution.

I sort of agree and sort of don't.  If I'm designing for the
commonplace CPE of 2012, yeah, I'm probably not going to want BIND.
But I hope for cerowrt to blaze the trails people will be following
three years from now.  By then, not only will we have beefier routers
to run name servers on, but there'll probably be more choices of name
servers that support the necessary feature set.  Taking the memory hit
to run BIND now lets us learn lessons about how to deal with
home-network naming in a DNSSEC-enabled world while the stakes are
still relatively low.

I like your idea of having multiple options and making the tradeoffs
explicit though.


More information about the Cerowrt-devel mailing list