[dns-operations] root? we don't need no stinkin' root!

Mark Allman mallman at icir.org
Mon Dec 2 20:09:25 UTC 2019


> For reachability, it is not enough to consider the nameserver IP
> addresses, did you also check DS record stability?

I did not.  I was more interested in understanding how much the
infrastructure churned.  To me the crypto stuff is config that we
can more readily hack.   And, while I didn't scrutinize your long
list, I sort of skimmed and it seems the changes may not always keep
for a year, but are generally more than "a few days".

However, that said, ...

> In any case, it seems likely that have a root zone that is a year
> out of date would be problematic for many TLDs.

My point wasn't to argue a zone file that is a year out of date is
somehow OK.  Even without the DNSSEC bits, I think not being able to
reach 50 TLDs is not OK.  However, the infrastructure seems slowly
changing.  And, that has some ramifications.  And, we might be able
to leverage those if we wanted to ...

  - E.g., if we wanted to extend the TTL that doesn't seem like it
    would be a big problem.

  - E.g., if *in a pinch* we had to use an expired, but not too old
    root zone file to reach a TLD server because we couldn't fetch a
    current zone file that would likely be OK, too.

allman


More information about the dns-operations mailing list