[dns-operations] alternate rootism

Paul Vixie paul at redbarn.org
Mon Dec 16 15:38:40 UTC 2013

(thread fork)

Tony Finch wrote:
> Paul Vixie <paul at redbarn.org> wrote:
>> this is true.
> Except that you could (I think) use Unbound as your resolver and configure
> it with a stub zone for the root pointing at a local NSD which slaves the
> root.

in that sense, BIND 10 can also perform mixed-mode service. however,
this config devolves to the one i described on itipanel@, since the root
hints compiled into your rdns could be just some hierarchical anycast
names/addresses, which would be served as locally as you want.

>> [...] any wide-spread support for "root zone hidden slave" would have to
>> deal with this. TSIG isn't the answer since the signing key has to be
>> secret if we want to prevent MiTM attacks on hidden slave root zone
>> content.
> TKEY ought to do the trick.

yes; thank you for this clarification.

>> http://mm.icann.org/pipermail/itipanel/2013-November/000017.html
> Sounds a lot like the ICANN L-root dense anycast model.
> http://blog.icann.org/2012/03/l-root-in-your-pocket/
> http://www.menog.org/presentations/menog-10/Dave%20Knight%20-%20Dense%20Anycast%20Deployment%20of%20DNS%20Authority%20Servers.pdf

yes and no. yes, there are superficial similarities. no, it's not the
same thing or even close to the same thing. my proposal regarding
disconnected root name service would involve creating a second root zone
possessing only two NS RR's, each having one globally reachable IP
address and one globally reachable IP6 address. this root zone would be
signed by the ICANN root zone signing key, kept in synch with the
existing root zone, and made available by AXFR and IXFR in a
high-availability configuration, with some way of registering for NOTIFY
service. i'd say it bears more resemblance to the older proposal still
online at <http://ss.vix.su/~vixie/alternate-rootism.pdf>, than to the
L-root model. without ICANN support for the project it would be nec'y to
pirate all existing root name server names/addresses at every level of
the hierarchical anycast network, which would lead to chaos; or, to only
pirate L-root's, which would lead to long startup delays while the other
root name server names/addresses were each checked for reachability.


More information about the dns-operations mailing list