[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

Stefan Schmidt stefan.schmidt at freenet.ag
Sun Jul 19 22:06:52 UTC 2009 

On Sun, Jul 19, 2009 at 02:44:13PM -0700, David Conrad wrote:

>> On Sun, Jul 19, 2009 at 08:22:57PM +0200, Peter Dambier wrote:
>>> I have seen configurations for djbdns at least that do not need
>>> the root-servers at all. Just ftp the file once per week and
>>> prepare it so your dnscache directly queries the tld-servers.
>
> Pretty much any caching server can be configured to do this.  In fact,  
> part of the IANA DNSSEC testbed was to have a signed zone open for zone 
> transfer specifically for this purpose (try a zone transfer from  
> root.iana.org).  dnscache is actually at a disadvantage compared to BIND 
> since it doesn't support zone transfer...

Thats meant for Peter i suppose.
I'd rather not encourage ftp transfers as a root-servers substitute.

>> The roots provide a central yet scalable
>
> Err, no.  Not really. "Central" pretty much means non-scalable by  
> definition. The root, as a single point of failure, will always be  
> vulnerable because it is trivial to simply add more zombies to your  
> botnet to overwhelm anything that the root server operators are able to 
> spend.  You want scalability?  Compare the O(300) machines serving the 
> root zone today to the number of caching servers out there.

I will put it this way:
The root nameservers provide the most scalable yet central service yet.
This is due to the ingenious protocol design we have with DNS. It could
also work with a p2p system but i would presume this to be way slower.

>> and yes, flexible point to
>> gather TLD delegation data from, replacing that with a non-DNS way  
>> only
>> obfuscates the protocol and well, just think about the scalability  
>> issues
>> you'd run into with the central ftp-server you're proposing.
>
> The root zone is small (currently about 130K signed) and changes  
> relatively infrequently.  Due to caching, it is obviously not time  
> critical to have the absolutely latest version.  As such, it would be  
> trivial to Akamize (or whatever) the root zone.  Assuming it is signed, 
> of course.

Alright, so what would you do if for some (any) reason we needed to do a
complete reset/bootstrap of the DNS?
I'd rather not have to synthesize the egg without the chicken.

	Stefan
-- 
/* Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
 * way.
 */
2.4.3 linux/net/core/netfilter.c

More information about the dns-operations mailing list