[dns-operations] Signing of the ARPA zone

Phil Pennock dnsop+phil at spodhuis.org
Mon Mar 22 06:28:16 UTC 2010

On 2010-03-21 at 20:30 -0700, Michael Graff wrote:
> On 3/21/10 8:19 PM, Doug Barton wrote:
> > Assuming you have a point above (not sure you do, but let's assume),
> > having 1 out of 13, and arguably one of the lesser-provisioned of the 13
> > at that, not subject to the DOS is of dubious value, for a variety of
> > reasons that I can elaborate if desired. It would make more sense if
> > only say half the roots were serving ARPA.
> Do you think that arpa is somehow a more attractive target than the root?

If neither is a subset of the other, then the likelihood of a DoS
against one affecting the other is diminished.  On first blush, that's a
worthwhile goal; whether there is anyone to provide such a service,
paying for the extra operational costs, is another matter.

The question is how common is it for the root zone to be slaved but for
the arpa zone to not be slaved.  Some OSes (FreeBSD) ship with configs
which have commented-out examples of how to slave these zones, with
various rationales given (faster, reduces leaks spamming the root
servers, improved resilience to DoS).

Does anyone have figures on how common it is, in the wild, for either of
these zones to be slaved?  How common is it for one but not the other?


More information about the dns-operations mailing list