[dns-operations] FreeBSD and the slaving of the root zone

Roland Dobbins rdobbins at cisco.com
Tue Jul 31 18:42:04 UTC 2007

On Jul 31, 2007, at 11:21 AM, David Conrad wrote:

> a) an attack against the root.  If you have slaved the root, you  
> (and your customers that you provide service to) are less impacted.

I don't know if I agree with this.  Attacks against the actual roots  
themselves to date a) haven't made a huge impact on wide-scale DNS  
functionality due to the fact that the roots aren't involved in the  
vast majority of run-of-the-mill DNS transactions and are largely  
operated by groups who implement various BCPs and defensive measures,  
as well as their visibility to the operational community, and b)  
would have to be both technically successful and sustained in nature  
to start having a real impact, which I believe is less likely than  
the same directed against one's local root instance.

> b) an attack against your slaved root.  You (and your customers  
> that you provide service to) are more impacted.  However, fallback/ 
> mitigation is to stop serving the root zone.  Of course, this  
> doesn't help you all that much, since your caching server is  
> getting nailed and that would affect everything you try to look up...


> Modulo pulling from something other than the root servers, I  
> actually like the idea of further decentralization.

So, if folks are interested in further decentralization of the roots,  
why not pony up and become a no-BS root instance operator, rather  
than running a 'poor-man's' root instance?  Horizontally scaling real  
root instances (with all that entails in terms of investment and  
opex) would probably be a better way to accomplish useful  
decentralization, would it not?

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company

More information about the dns-operations mailing list