[dns-operations] FreeBSD and the slaving of the root zone
Roland Dobbins
rdobbins at cisco.com
Tue Jul 31 18:42:04 UTC 2007
On Jul 31, 2007, at 11:21 AM, David Conrad wrote:
> a) an attack against the root. If you have slaved the root, you
> (and your customers that you provide service to) are less impacted.
I don't know if I agree with this. Attacks against the actual roots
themselves to date a) haven't made a huge impact on wide-scale DNS
functionality due to the fact that the roots aren't involved in the
vast majority of run-of-the-mill DNS transactions and are largely
operated by groups who implement various BCPs and defensive measures,
as well as their visibility to the operational community, and b)
would have to be both technically successful and sustained in nature
to start having a real impact, which I believe is less likely than
the same directed against one's local root instance.
> b) an attack against your slaved root. You (and your customers
> that you provide service to) are more impacted. However, fallback/
> mitigation is to stop serving the root zone. Of course, this
> doesn't help you all that much, since your caching server is
> getting nailed and that would affect everything you try to look up...
Concur.
> Modulo pulling from something other than the root servers, I
> actually like the idea of further decentralization.
So, if folks are interested in further decentralization of the roots,
why not pony up and become a no-BS root instance operator, rather
than running a 'poor-man's' root instance? Horizontally scaling real
root instances (with all that entails in terms of investment and
opex) would probably be a better way to accomplish useful
decentralization, would it not?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the dns-operations
mailing list