[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Joe Abley jabley at hopcount.ca
Wed Nov 27 02:46:50 UTC 2013

On Tuesday 26 November 2013 at 21:17, Damian Menscher wrote:
> Back to solving the problem of traffic at the roots, I've always been curious why recursive resolvers don't just AXFR the root zone file and cache the list of TLDs. Yes, a new TLD might go unnoticed for the duration of your cache, but it's not like we're adding new TLDs every day (yet!). If recursors did this, it would be trivial to avoid sending any of these queries to the roots.

If you want to set up your resolver that way, there's nothing stopping you.

I have frequently argued against any such general recommendation, however. The root nameservers are administered by people who have incentives to do a good job. Resolvers set up by some random admin one rainy Thursday afternoon to transfer the root zone from some place or places that happen to work that day constitute an unmaintained critical service, and end-users will pay for it when it stops working and nobody can figure out what it is supposed to be doing.

Note, I'm not saying that slaving the root zone on a resolver can't be done, and can't be effective, and that there aren't thousands of good admins and organisations with sufficient diligence and process to make this work. My argument is that the number of resolvers not maintained to that extent reduces the size of the former category below the noise floor.

To look at it from a slightly different perspective, there's an advantage in being able to measure the response of the root server system to changes in the DNS (e.g. root-server AAAAs, AAAA glue, DNSSEC, IDNs, new gTLDs). Where the bulk of root referrals are performed using queries and responses to/from the root servers, we have a place where measurement can happen and trends can be identified. If a significant proportion of resolvers in the world slaved the root zone, there would be no such system-wide measurement point.

I appreciate one person's measurement is potentially another person's unwanted external surveillance, and in general I like decentralisation for that reason. It would have been far harder to deploy DNSSEC in the root zone without the ability to say convincingly "we did actual measurement, there are no signs of trouble", however.


More information about the dns-operations mailing list