[dns-operations] FreeBSD and the slaving of the root zone

Matt Larson mlarson at verisign.com
Tue Jul 31 22:30:16 UTC 2007


On Tue, 31 Jul 2007, Patrik Fltstrm wrote:
> - We need a distribution mechanism for the root zone that scales

No argument there.  AXFR from existing root servers is a non-starter.

> - We need the root zone signed with DNSSEC (tsig is not enough for me)

Well, TSIG is good enough for the root operators: the root zone is
protected via TSIG as it travels from the stealth master servers
operated by VeriSign to the various root servers.

I further note that the canonical publicly available root zone on
ftp.rs.internic.net is PGP signed.

> - We need to know that the actual level of broken queries to the root  
> servers will go down (if people today query for "localhost.", that  
> indicate a broken full service resolver, so how will a similarly  
> broken slave for root zone behave?)

I think we can safely attribute such queries not to broken full
service resolvers but to inappropriate queries issued/leaking from
upstream applications and stub resolvers.  Having a local recursive
name server authoritative for the root would absolutely stop such
queries from reaching the roots.

> I.e. I have no idea what *real* problem this solves.

Crap to the roots.  Although, as John Crain pointed out, the root
operators really need to provision for attack scenarios, and attack
traffic dwarfs the crap by orders of magnitude.  So this may be
solving a non-problem, but it doesn't hurt to discuss the idea.

Matt



More information about the dns-operations mailing list