For me and also the place I retired from the optimal solutions was an instance of Unbound [1] on every node keeping local cache, retrying edge resolvers intelligently, preferring the fastest responding edge resolvers, cap on min-ttl or both resource records and infrastructure, pre-caching, etc... I've done that at home and when others talk about a DNS outage I have to go out of my way to see or replicate it usually by forcing a flush of the cache.
Most Linux distributions have a build of Unbound. I point edge DNS recursive resolvers to the root servers rather than leaking internal systems requests to Cloudflare or Google. Unbound can also be configured to not forward internal names or to point requests for internal names to specific upstream servers.
Nice. Running Unbound locally with intelligent upstream selection and caching definitely reduces blast radius from edge resolver outages.
I haven't tried Unbound but I’m curious though, how do you handle recovery behavior when the failure isn’t just recursive resolver unavailability, but scenarios like stale IPs after control plane failover, or long-lived gRPC connections that never re-resolve, or bootstrap loops where the system that needs to reconfigure DNS itself depends on DNS?
In my experience, local recursive resolvers solve availability pretty well, but recovery semantics still depend heavily on client behavior and connection lifecycle management.
Do you rely on aggressive re-resolution policies at the application layer? Or force connection churn after TTL expiry?
Would love to understand how you think about resolver-level resilience vs application-level recovery.
I do not like the idea of throwing up road blocks solely to make life harder for any group of people.
Neither do I. Such tests are supposed to be performed at weigh stations. In my opinion a road block would only be required if unqualified truckers are sharing notes on how to bypass weigh stations and there are no cameras catching this behavior or if unqualified drivers are traveling in packs to cause back-ups at the weigh stations. That needs to be fixed if so.
Ah I see what you mean. Yeah that red tape should have occurred at the DMV and should have ended with a denial of a CDL. No need to let them get so far as to be held up with a truckload of goods.
Worth noting that America does not have an official language
I know this will not be a HN aligned comment but all of the street signs are in US English. That is what drivers are tested on and required to understand by law. I do not blame the drivers, I blame whoever told the DMV to license these people illegally. They need to be fired and their agency fined for all the damages they have indirectly caused. Repeated incidents must result in said agency losing the ability to issue commercial drivers licenses or any license for that matter and the individuals causing this need to go to prison in general population with the lifers.
An empty big-rig (tractor + trailer) can be around 35,000 pounds. Loaded can be up to 80,000 pounds and some can get special permits to go higher. That weight combined with speed can turn any car into a crushed soda can. The person or AI behind the wheel absolutely must be the most qualified person on the road and better ace any test or reading and comprehension test related to road regulations and signs.
If I were thinking like a totalitarian my answer would be that requiring a government ID and possibly mapping that ID to a computer's TPM or something along that line so one can not just use another account means one could ban a user not just from one site but from all sites that require government ID.
I equate this to Valve's VAC ban: A Steam VAC (Valve Anti-Cheat) ban is a permanent, non-negotiable penalty applied when an account connects to secured servers while running unauthorized cheat software. It restricts access to multiplayer in VAC-secured games, is publicly displayed on your profile, and cannot be removed by Steam Support, even if a third party was using your account. Permanence: Bans are permanent. If an account is VAC banned, the ban cannot be removed.
Now just apply that to all major platforms and companies on the internet and we have the year 2035, at least I think that is the direction we are going. It will probably show up in the DMV database when a state ID is queried. What I do not know is what they will call it and how much it will cost to get it removed. NannyBan? OoopsYouDontExist? SeeMe? TooManyDemeritsBAN? Not,Sure? WrongThinkBAN? WrongSpeakBAN?
Does AI give people a way to correct pronunciation of names and words? If so are people prompted to review and correct the end result? Genuinely curious I have never tried to make something like this but it might be fun if I can use a celebrities voice to read out my dumb blog.
There's a number of ways to do it. Some of them will let you create a override table that uses the IPA (International Phonetic Alphabet).
In the past, when I used the local KokoroTTS model, I did something a bit more primitive for longer texts where it constantly mispronounced a word: a pre-TTS pass with regex to replace those words with a phonetic-sounding equivalent that worked more consistently (e.g. replacing “Danish” with “Day-nish.”)
I've been playing around with KokoroTTS. I like it a lot especially anything that functions locally. It takes a bit of CPU time but I could see letting that churn in the background on a VPS node for a while. Thankyou for that.
A better law would have been to require the apps look for an RTA header. [1] If detected trigger parental control password prompt which would only be enabled if a parent enabled parental controls.
Server operators could add this header to anything adult or that may contain user-contibuted content in their sleep. App developers could add a snippet of code to look for the header in their sleep. Then have a law that requires parents with small children under 10 must enable parental controls on devices used by their children. Why under 10? No confrontation with teens. The small children will grow into the process. No PII shared. No asking for ID. No sharing ID. Not on the OS, not on a third party website. I don't like green eggs and ham, I don't like them Sam I am.
We all know that once this law has been complied to they will extend it to require ID be uploaded to whatever company gives the most kick-backs to Gavin and an API key will have to be saved on the OS per account. This data will be leaked in 3 ... 2 ...
Taking out Saddam allowed the Taliban to get right back to the raping of the Opium farmers wives and children. Not saying I approved of Saddam but I did enjoy the way he had originally curtailed the risk to his Opium revenue.
I'm not picking a side, just saying people often create throw-away accounts for political discussions. But yeah an account can be anything. One never knows the underlying agenda people truly have.
My evil agenda is to encourage people to watch every season of Futurama.
Most Linux distributions have a build of Unbound. I point edge DNS recursive resolvers to the root servers rather than leaking internal systems requests to Cloudflare or Google. Unbound can also be configured to not forward internal names or to point requests for internal names to specific upstream servers.
[1] - https://nlnetlabs.nl/projects/unbound/about/
reply