[dns-operations] Scott Doty: The DDOS problem & security BOF: Am i mistaken?

Florian Weimer fw at deneb.enyo.de
Thu Oct 16 15:07:07 UTC 2008

* Paul Vixie:

> the nanog moderators have ended this thread & recommended it be sent
> here.

If the answer to certain DNS issues is "more authoritatives" (I'm
assuming that's what Scott is alluding to), we should define an AXFR
record which contains a URL for a replica of the zone (or maybe just an
address, but then you can't use https://).

Interested resolver operators could then keep a copy of the most
important zones (based on actual usage on this resolver).  Not using NS
records means that there is clear opt-in from the zone operator, and the
TCP stuff could be factored out of the critical path.  It could also be
made clear that to zone operators changing AXFR records (and referenced
instructure) is costly because it will trigger extensive verification
from resolvers.

On the other hand, I'm not sure if this is really the right approach.
For example, SSH-style leap-of-faith DLV seems more attractive to me.

More information about the dns-operations mailing list