[dns-operations] Everyone as root server ? Was: FreeBSD and the slaving of the root zone
peter at peter-dambier.de
Tue Jul 31 18:40:09 UTC 2007
Olafur Gudmundsson wrote:
> I1: Is it a good idea to encourage people to turn their recursive servers into
> root servers ?
If they are running older bind nameservers as resolvers then they are prone to
cache poisoning. Athoritative zone cannot be poisoned. So it is a good idea.
If they are living on an "island" with erratic connectivity then it is a good
idea to slave the root.
If they are afraid of the rootservers beeing attacked again and they are living
in a place that has been without rootservers for some time, then again it is
a good idea to slave the root.
> I2: How can the root zone be distributed to million recursive servers in a
> safe and timely manner ?
I am running djbdns on my laptop. I am very lazy refreshing slaves zones
including the root. I can live with an update every two or three month.
IASON ( http://iason.site.voila.fr ) is watching and comparing several
Racines Libres, Liberated Rootservers or alternative roots. IASON keeps
logging very out of date root zones. They are still working with zones
older than a year and they did not even notice that. Of course whenever
there comes up a new TLD you have to wake up.
If you dont want to AXFR then use
either with ftp or wget.
If you are an ISP or a small company then axfr or ftp once per day shold
not be a problem. I you are doing it once per week you should be on the
If you are running a single pc, downloading the file once per month
should be ok.
Remember: running your own root you will never query ".local", ".localhost"
and a lot of other nonsense. You will never query the root at all, except
for the download. DoS attacks implementing address spoofing always use
UDP. You will always use TCP. Maybe you can even axfr when the rootservers
Peter and Karin
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.arl.pirates
More information about the dns-operations