[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

David Conrad drc at virtualized.org
Sun Jul 19 21:44:13 UTC 2009

On Jul 19, 2009, at 2:10 PM, Stefan Schmidt wrote:
> On Sun, Jul 19, 2009 at 08:22:57PM +0200, Peter Dambier wrote:
>> Stephane Bortzmeyer wrote:
>> I have seen configurations for djbdns at least that do not need
>> the root-servers at all. Just ftp the file once per week and
>> prepare it so your dnscache directly queries the tld-servers.

Pretty much any caching server can be configured to do this.  In fact,  
part of the IANA DNSSEC testbed was to have a signed zone open for  
zone transfer specifically for this purpose (try a zone transfer from  
root.iana.org).  dnscache is actually at a disadvantage compared to  
BIND since it doesn't support zone transfer...

> The roots provide a central yet scalable

Err, no.  Not really. "Central" pretty much means non-scalable by  
definition. The root, as a single point of failure, will always be  
vulnerable because it is trivial to simply add more zombies to your  
botnet to overwhelm anything that the root server operators are able  
to spend.  You want scalability?  Compare the O(300) machines serving  
the root zone today to the number of caching servers out there.

> and yes, flexible point to
> gather TLD delegation data from, replacing that with a non-DNS way  
> only
> obfuscates the protocol and well, just think about the scalability  
> issues
> you'd run into with the central ftp-server you're proposing.

The root zone is small (currently about 130K signed) and changes  
relatively infrequently.  Due to caching, it is obviously not time  
critical to have the absolutely latest version.  As such, it would be  
trivial to Akamize (or whatever) the root zone.  Assuming it is  
signed, of course.


More information about the dns-operations mailing list