[dns-operations] root? we don't need no stinkin' root!

David Conrad drc at virtualized.org
Wed Dec 4 16:31:24 UTC 2019

[Sorry for the slow response — US holidays and a resolution not to look at my computer over said holidays got in the way]

> On Nov 28, 2019, at 12:42 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
> On 27. 11. 19 21:49, David Conrad wrote:
>> Petr,
>>> I think there is even more fundamental problem:
>>> Someone has to pay operational costs of "the new system”.
>> The “new system” is simply the existing network of resolvers, augmented to have the root zone.  As far as I can tell, the operational cost would be in (a) ensuring the resolver is upgraded to support obtaining the root zone and (b) dealing with the fetch of the root zone with some frequency.
> I hypothetise that in the end requirements for "the new system for root zone distribution" will be fairly close to current requirements for current DNS root system... so I do not see where the cost reduction comes from.

Root zone distribution is on different timescales than root query service.  Even if the root zone distribution service relies only on AXFR, an effective DDoS of that service based on SOA timers would need to be maintained for far longer than a DDoS against root service based on cache TTLs.  And, of course, folks have already been looking at distributing the root zone via stuff other than AXFR (e.g., HTTPS).

Further, the root servers have to respond to pretty much every DNS query that gets thrown at them, both UDP and TCP. A root zone distribution service would only need respond to AXFR/IXFR requests over TCP (and this could even be gated by whitelisting/blacklisting).

(Speaking for myself, not any organization I may be affiliated with)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191204/85a3b7a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191204/85a3b7a4/attachment.sig>

More information about the dns-operations mailing list