[dns-operations] The (very) uneven distribution of DNS root servers on the Internet

Joe Abley jabley at hopcount.ca
Thu May 17 10:25:32 UTC 2012


On 2012-05-16, at 21:44, David Conrad wrote:

> On May 16, 2012, at 5:52 PM, Joe Abley wrote:
>> The point was the importance of knowing who the stealth slaves are, if any coordinated measurement of the root system is going to be possible.
> 
> Even ignoring folks who slave the zone now, is coordinated measurement of the root system realistically possible today given the business/political/philosophical environments of the root operators?

Yes.

>>> In any event, this isn't either/or, particularly since folks can and do slave the root today.  The question is how can we improve root service and/or address (perhaps non-technical) concerns folks have regarding that service in the most effective/efficient way. 
>> I agree that's the question. I guess it's probably clear to you that the suggested alternative seems worse than what we have, to me.
> 
> As a member of the secret handshake society, this is not surprising (joking!).

I do it so you don't have to. :-)

> More seriously, I acknowledge the risks associated with decentralization, however I do believe the benefits outweigh those risks. Unless/until all the root servers turn off zone transfer, ICANN decommissions their zone transfer servers, and the USG rewrites the contract with VeriSign to stop publishing the root zone on internic.net, clueful folks will be setting up root-as-slaves. Are you suggestion efforts should be made to stop this?

We will continue to publish the root zone (e.g. via xfr.cjr.dns.icann.org and xfr.lax.dns.icann.org) without restriction because it's important to be transparent about root zone management. I am personally enthusiastic that this should continue, and I can't imagine supporting a plan that made things less transparent.

However, there's a difference between making the data available for public scrutiny and encouraging people to make poor operational choices about what to do with it. Nobody here is in favour of bad choices; we're just disagreeing about exactly how horrible an idea this is.


Joe


More information about the dns-operations mailing list