Re: DNS Sec isn't the problem
" I am not an expert in networking, however as I understand it, unless I set my recursive DNS server to generate my own cache of queries by using the primary authoritative sources for every request, then at some point I have to trust the information coming to me via intermediaries is legitimate."
That's correct, and that's what I meant - priming your server from the root servers rather than forwarding to other recursive nameservers.
You don't then have to care what state your ISPs servers are in.
Also, caching works at all levels of the lookup, so it's not as if you're constantly traversing from root.
(e.g. after the first lookup of blah.co.uk, your local server will remember where to go next time it wants to resolve a .co.uk address.)
[ If you are really anal, you could slave/download the root zone locally anyway! ]
Speedwise? If your ISPs nameserver doesn't already have a cached entry, it has to do the same thing your server would do directly.
Even if it is cached, a few extra milliseconds *once* per site won't be noticeable, and even that assumes your ISPs server isn't slightly delayed by all the other people using it.
"After all, the major peering networks need to have this information, and they have lots of people employed to ensure that it is correct. At the end of the day the situation always comes down to the cost/benefits of who should you trust."
I doubt ANY peering uses DNS!
But anyway, for a techie who knows what they are doing (I.e. I wouldn't expect this of grandma), doing this saves time, as you are reducing the number of points of failure, and ensuring your results haven't been altered (of course, this is assuming we are just talking about server operators altering results rather than hacking)
"What I object to in my example above is the unadvertised corruption of the DNS information being passed on to me by sources that are marketed as "trustworthy". My ISP diverting traffic to its own services is one thing - that is expected, and I can bypass it by specifying an external DNS source. Google DNS or OpenDNS diverting my traffic back to my ISP instead of to the public internet or to their own services is quite another. Especially since OpenDNS markets
itself as a trusted independent supplier of DNS information, yet has clearly entered into commercial agreements with ISPs to support their traffic management."
I agree with you in principle, but I fear you may have things a bit confused:
Firstly, 'ISP diverting to it's own service' .... NOOOO! Why would that be OK? Not unless ordered to by a court.
Secondly, 'Google or OpenDNS diverting...' should also be a no-no, but..... :
Basically the resolver shouldn't alter the result at all, but return the same you would get if resolving directly.
However, are you sure this is happening? What you describe is how CDN systems work - if the site concerned has a caching proxy within your ISP, then it's DNS itself will return the address of your local ISPs server - this has nothing to do with third-party manipulation.
(Apologies if I'm not too clear.... It's hard to concentrate as I've finally got fed up of my constantly noisy neighbour, and decided to drown out her shit with very loud bass-heavy happy hardcore.... Passive-agressive? moi?)