[dns-operations] FreeBSD and the slaving of the root zone
Mark_Andrews at isc.org
Wed Aug 1 00:39:16 UTC 2007
> On Tue, 31 Jul 2007, Patrik Fltstrm wrote:
> > - We need a distribution mechanism for the root zone that scales
> No argument there. AXFR from existing root servers is a non-starter.
> > - We need the root zone signed with DNSSEC (tsig is not enough for me)
> Well, TSIG is good enough for the root operators: the root zone is
> protected via TSIG as it travels from the stealth master servers
> operated by VeriSign to the various root servers.
Plain TSIG is clearly inappropriate. TKEY would work but would
put excessive load on the roots.
What will work is re-introducing zone signatures. See the
early DNSSEC work.
If we had "glue" signature (signatures for the NS and all
records below delegations) validating the zone post transfer
would also work.
> I further note that the canonical publicly available root zone on
> ftp.rs.internic.net is PGP signed.
> > - We need to know that the actual level of broken queries to the root
> > servers will go down (if people today query for "localhost.", that
> > indicate a broken full service resolver, so how will a similarly
> > broken slave for root zone behave?)
> I think we can safely attribute such queries not to broken full
> service resolvers but to inappropriate queries issued/leaking from
> upstream applications and stub resolvers. Having a local recursive
> name server authoritative for the root would absolutely stop such
> queries from reaching the roots.
> > I.e. I have no idea what *real* problem this solves.
> Crap to the roots. Although, as John Crain pointed out, the root
> operators really need to provision for attack scenarios, and attack
> traffic dwarfs the crap by orders of magnitude. So this may be
> solving a non-problem, but it doesn't hurt to discuss the idea.
It also improves response times and reduces cache sizes for
recursive clients. NXDOMAIN responses, especially signed
responses, are large blobs of data that need to be cached.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations