[dns-operations] The (very) uneven distribution of DNS root servers on the Internet

Andrew Sullivan ajs at anvilwalrusden.com
Fri May 18 11:28:20 UTC 2012

On Fri, May 18, 2012 at 09:34:28AM +1000, Mark Andrews wrote:
> How can you "slave" a zone off your servers and not know.

In the particular disaster case that I was thinking of, not all of the
servers involved were ours.  But if you're running a sufficiently
large service, you have all kinds of queries arriving that fail.  A
few failed zone transfers are in the noise.

> master but true slaving should have cause the zone to expire unless

Yes.  I have no idea how the people in question managed to convince
bind not to expire the zone, although I suspect that they were
noticing that it would stop working, and then they'd restart bind or
something.  In the particular case I was thinking of, the machine they
were transferring from just stopped answering.  It always was
mysterious to me how they managed to keep serving at all, but I know
they did.

I'm not sure how "zone expires" makes the problem any better,
however.  It merely changes the problem from "slow decay and bad
information on the network" into "sudden complete failure of
resolution at the root".  I know, you're thinking that they will just
switch to some other root server, and there won't be a problem.  But
if they were just going to use the DNS protocol like normal, they
could use the widely-built infrastructure alreay in existence.

Remember that part of the original point that started all this was the
political noise that this or that country "doesn't have a root
server".  The foundation of much of the reasoning here is badly
flawed, and I don't think there's any reason to suppose that people
who start from such premises are going to permit the "root queries to
go out of country".  Yes, I've heard it stated exactly that way in the
past.  Many of these arguments are not being made from technical
grounds, but on layer 9+n grounds that I don't understand.  



Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list