[dns-operations] The (very) uneven distribution of DNS root servers on the Internet

Andrew Sullivan ajs at anvilwalrusden.com
Thu May 17 17:08:47 UTC 2012


On Thu, May 17, 2012 at 01:39:44PM +0000, paul vixie wrote:
> On 5/17/2012 1:21 PM, Andrew Sullivan wrote:
> > ... I think this would happen to the root zone, too, and that seems
> > worse than just one ccTLD. Encouraging random people to keep local
> > copies of the root without anyone knowing about it is almost certainly
> > an excellent way to cause more DNS failures.
> 
> i think we have to admit that this kind of thing is going to happen

Which "this"?  "People will keep local slaves and break sometimes" or
"we encourage people to keep local slaves that break sometimes"?  The
former certainly will (or has), and given the shortage of Internet
Wisdom Cops (or, for that matter, Internet Wisdom) I can't imagine
anyone picking that windmill.  The latter, though, is something that
we who have the slightest (or, in my personal case, less than
slightest) clue of what we're doing can control.  We can in fact
recommend that there are better answers than "make a mirror nobody
knows about".  In my reading, that was all Joe was arguing anyway,
given the L policy (which, as he pointed out, is very nearly "buy this
server and you got yourself a root server").

> routing and great firewalls. the way to ensure that more people get real
> answers may indeed be wide spread root zone stealth slavery.
> 
> i realize that this will just move the game down-level to the tld's,

If I read you correctly, in military terms you are arguing there for a
retreat to a location that is itself not securable, and …

> permanent difference. but by the time that part of the game is playing
> out, i'm hoping for relevant penetration levels of dnssec.

… then arguing that the hoped-for availability of a future tactical
advantage will mean that the location you just gave up would have held
anyway.  I think I disagree with the strategy.

Best,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list