[dns-operations] FreeBSD and the slaving of the root zone
David Conrad
drc at virtualized.org
Tue Jul 31 18:21:52 UTC 2007
Roland,
On Jul 31, 2007, at 10:45 AM, Roland Dobbins wrote:
> On Jul 31, 2007, at 10:36 AM, David Conrad wrote:
>> - DDoS attacks against the root servers would have less impact
>
> Only DDoS attacks whose targeting values were derived in a certain
> manner would have less impact on the actual roots
Right. Sorry, I was unclear. There would be less impact to the users
of the slaved server.
> And
> in terms of the impact on users, which is more likely to have a
> negative impact, an attack against the actual roots themselves, with
> all the various protection mechanisms and technical talent and wide
> visibility associated with them, or a sustained attack against a
> local instance which may not have much in terms of capacity,
> geographical dispersion, mitigation mechanisms, and technical talent
> associated with it?
Two scenarios:
a) an attack against the root. If you have slaved the root, you (and
your customers that you provide service to) are less impacted.
b) an attack against your slaved root. You (and your customers that
you provide service to) are more impacted. However, fallback/
mitigation is to stop serving the root zone. Of course, this doesn't
help you all that much, since your caching server is getting nailed
and that would affect everything you try to look up...
Modulo pulling from something other than the root servers, I actually
like the idea of further decentralization.
Rgds,
-drc
More information about the dns-operations
mailing list