[dns-operations] Everyone as root server ? Was: FreeBSD and the slaving of the root zone

David Conrad drc at virtualized.org
Tue Jul 31 22:29:13 UTC 2007

On Jul 31, 2007, at 2:24 PM, Paul Vixie wrote:
> since the roots aren't sending these freebsd systems NOTIFY  
> packets, they're
> going to follow the SOA timers.  so instead of a million freebsd  
> hosts sending
> me UDP all day, i get a million of them asking for AXFR after each  
> daily zone
> change.

I agree that having the root servers be targets for the AXFR is a bad  
idea.  The target of the AXFR should be on a different infrastructure.

> if their firewall configs change and they can't fetch the root  
> zone, they'll
> just go stale after a week's time.

This self-immolating, thus self-remedying.

> if we renumber, they'll continue bashing the old address for decades.

No different than current behavior with non-AXFR root service.

> there is no opportunity to measure and characterize the traffic  
> hitting the
> roots to discover broken versions of firefox or whatever.

This is dangerous territory that I'm not sure you want to go (e.g.,  
"what gives the root server operators the right to invade my privacy?")

> since these fetches do not use tsig or dnssec for zone content  
> validation,
> a routing-layer MiTM attack could insert new TLDs for millions of  
> users

A routing-layer MITM can do that now (and, in fact, does as I  
understand it).


More information about the dns-operations mailing list