[dns-operations] N-Root

Joe Abley jabley at hopcount.ca
Mon Apr 1 20:42:27 UTC 2013 

On 2013-04-01, at 16:17, Robert Edmonds <edmonds at isc.org> wrote:

> with single-character names, like this:
> 
>    . IN NS a.
>    . IN NS b.

This idea surfaces from time to time. In other contexts people have gone further, questioning the design decision regarding how much additional-section glue it is ever necessary to return to a priming query. Perhaps there's room for an O and a P, too. Perhaps a Q!

But, how sure are we that single-label hostnames work as expected? There seems to be quite some variety in the installed client base (e.g. see <http://www.icann.org/en/groups/ssac/documents/sac-053-en.pdf>) and predictability in priming behaviour seems important.

Having the root servers named as you suggest brings them into the root zone as full-class citizens, where they will be signed. Priming queries with DO=1 are going to get larger replies because of the extra RRSIGs. What might that break?

What assumptions might be hard-coded into middleware, end systems, etc about the number of root servers? What DPI/firewalls are going to start rejecting priming queries if they look unusual?

Given that answers based in theory and protocol for these and another five hundred questions only go so far, how do you design a representative experiment to find out for sure? If the answer is deploy and see, how do you detect failure? How do you back out the change? Who is responsible for the costs imposed on others by this change?

What are the operational benefits of adding root servers when you already have 13 (22 if you count individual As and AAAAs) and hundreds of anycast nodes deployed?

Assuming there are operational benefits, what are the costs? How can you measure the cost of such a change in a system when the service operators can't ever know all their clients, and the clients half the time don't know what service they're using?

How can we be sure that the benefits (if we can find any) outweigh the costs (which perhaps we can't ever measure)?

What are the political implications of having to choose one operator for a new root server? How might this affect the coordination between the other twelve?

I think fitting RRSets in a response packet is actually the most trivial of all these issues. Even with a convincing answer to that, the rest of the problem space is filled with angry crocodiles.

My point is not to defend any sacred institutions, but rather to illustrate that a conservative approach to such a change is hard to find, the costs are potentially many and the benefits potentially slight. If there is money and energy to burn making the Internet a better place, this isn't (to me) the most obvious place to start spending it.


Joe

More information about the dns-operations mailing list