[dns-operations] FreeBSD and the slaving of the root zone

John Crain john.crain at icann.org
Tue Jul 31 18:03:36 UTC 2007

On Jul 31, 2007, at 10:36 AM, David Conrad wrote:

> On Jul 31, 2007, at 9:13 AM, Edward Lewis wrote:
>> At 15:50 +0000 7/31/07, Paul Vixie wrote:
>>> it's not my turn.  does everybody else think this is a good idea?
>>> start
>>> with the fact that root nameservers renumber from time to time,
>>> and go from
>>> there.
>> Let's start with the potential renumbering of the root servers.
> Perhaps I'm dense, but I don't see how renumbering root servers is a
> big deal in this context.  Renumbering root servers is already hard.
> I'm not sure why this would make it any harder.  Of course, the
> difficulty in renumbering root servers argues for the /32s and /128s
> for root service to be fixed in concrete (that is, becoming
> essentially protocol elements standardized in an RFC), but I know
> some of the root server operators get the twitches when I raise this.

There is the question as to whether the flexibility of being able to  
renumber, or as has happened in the past add servers
outweighs advantages of specifying the addresses in the protocol. I'm  
not really sure there are any advantages.

I do agree though that renumbering wouldn't be any harder because of  
this, of course those using this are already pulling
the zone from a subset of servers.

>> An upside of having the root zone local is that the recursive server
>> (assuming that's the function to cite) will not recurse to the root.
>> Not for "good queries" and not for "bad queries."
> Upsides include:
> - greater decentralization that should reduce load
> - DDoS attacks against the root servers would have less impact

Assuming that the DDOS was not aimed directly at the servers but  
relied on the recursive servers then yes. Having the zone on a local  
won't mitigate all forms of DDOS against the root servers, even those  
using DNS.

One of the arguments I keep hearing is that  the load of the invalid  
queries on the root servers is a major problem. As an operator of one of
those servers I can state that from my perspective yes the percentage  
of "Junk" is annoyingly high but from an operational stand point
it is not at a level where we have to worry about it from a resources  
standpoint. Compared to the resources we currently need for DDOS  
mitigation the
amount of "junk" is trivial.

Having thousands of servers attempting AXFR is likely to be much more  
of a load issue.
Of course I haven't done the math but my gut feeling is that all  
those TCP connections will hurt.


> Downsides include:
> - increased load on the root servers as a result of the zone transfers
> This downside could be alleviated by having the zone transfer source
> be different than the actual root servers.

> Rgds,
> -drc
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list