[dns-operations] The (very) uneven distribution of DNS root servers on the Internet

paul vixie paul at redbarn.org
Thu May 17 01:16:38 UTC 2012

On 5/17/2012 12:07 AM, Paul Hoffman wrote:
> On May 15, 2012, at 11:04 PM, paul vixie wrote:
>> now that i've been reminded that the SOA timers are shorter than the
>> update frequency and that no NOTIFY is required for up-to-date stealth
>> slave service; and now that the root is signed, making it unlikely that
>> stealth copies will be amended or that their namespaces will be
>> overloaded with other stealth slaves... i agree with drc here. let's
>> start encouraging widespread stealth slavery for the root zone.
> I'm deeply confused by the threads that followed this proposal. It seems that the problem is "some ISP's recursive resolvers have not great connections to a local root server".

no. that's not the problem.

> If so, why are the solutions proposed heavy-weight protocols and policy initiatives? Instead, suggest to the ISPs with the problem that they run a simple program every six hours. The program is in essence:
>   for ThisTLD in ListOfKnownTLDs:
>     dig @yourdnsserver ThisTLD NS
> This fills their cache, well within the TTL of any of the TLDs.
> Doesn't that solve the problem?

no. as marka pointed out, this would not even solve the proposed problem
statement you gave, since most root responses are negative. (note, i'm
not going to get into why we can't synthesize future NXDOMAIN responses
from prior NSEC responses.)

the problem is, people want to do this, and there's no stopping them, so
we should roll with it. encourage it, describe the best practices, make
measurement and telemetry work, etc. (note, i'm not going to go into why
people want this, or whether they should want this.)


More information about the dns-operations mailing list