[dns-operations] root? we don't need no stinkin' root!

Paul Vixie paul at redbarn.org
Wed Dec 4 17:19:55 UTC 2019

David Conrad wrote on 2019-12-04 08:31:
> [Sorry for the slow response — US holidays and a resolution not to look 
> at my computer over said holidays got in the way]
> ...
> Further, the root servers have to respond to pretty much every DNS query 
> that gets thrown at them, both UDP and TCP. A root zone distribution 
> service would only need respond to AXFR/IXFR requests over TCP (and this 
> could even be gated by whitelisting/blacklisting).

while i agree with this message on all points, i'd like to clarify that 
the ixfr/axfr protocol begins with an SOA query, and there is no current 
requirement that this be done via TCP. a TCP-mostly ze distribution 
service would be unwise to simply ignore TCP -- rather, it would be best 
to answer UDP with TC=1 regardless of the query content. the ixfr/axfr 
protocol also relies on NOTIFY, which is also a UDP-mostly protocol.

of course, a revised protocol could be specified for any given service 
such as a "root zone distribution service" which required that only TCP 
be used, for both the initial SOA query, and NOTIFY if any, and then the 
transfer (ixfr or axfr.) in that event, the above clarification would be 

P Vixie

More information about the dns-operations mailing list