[dns-operations] FreeBSD and the slaving of the root zone

David Conrad drc at virtualized.org
Tue Jul 31 18:21:52 UTC 2007


On Jul 31, 2007, at 10:45 AM, Roland Dobbins wrote:
> On Jul 31, 2007, at 10:36 AM, David Conrad wrote:
>> - DDoS attacks against the root servers would have less impact
> Only DDoS attacks whose targeting values were derived in a certain
> manner would have less impact on the actual roots

Right. Sorry, I was unclear.  There would be less impact to the users  
of the slaved server.

> And
> in terms of the impact on users, which is more likely to have a
> negative impact, an attack against the actual roots themselves, with
> all the various protection mechanisms and technical talent and wide
> visibility associated with them, or a sustained attack against a
> local instance which may not have much in terms of capacity,
> geographical dispersion, mitigation mechanisms, and technical talent
> associated with it?

Two scenarios:

a) an attack against the root.  If you have slaved the root, you (and  
your customers that you provide service to) are less impacted.

b) an attack against your slaved root.  You (and your customers that  
you provide service to) are more impacted.  However, fallback/ 
mitigation is to stop serving the root zone.  Of course, this doesn't  
help you all that much, since your caching server is getting nailed  
and that would affect everything you try to look up...

Modulo pulling from something other than the root servers, I actually  
like the idea of further decentralization.


More information about the dns-operations mailing list