[dns-operations] root? we don't need no stinkin' root!
paul at redbarn.org
Wed Dec 4 17:19:55 UTC 2019
David Conrad wrote on 2019-12-04 08:31:
> [Sorry for the slow response — US holidays and a resolution not to look
> at my computer over said holidays got in the way]
> Further, the root servers have to respond to pretty much every DNS query
> that gets thrown at them, both UDP and TCP. A root zone distribution
> service would only need respond to AXFR/IXFR requests over TCP (and this
> could even be gated by whitelisting/blacklisting).
while i agree with this message on all points, i'd like to clarify that
the ixfr/axfr protocol begins with an SOA query, and there is no current
requirement that this be done via TCP. a TCP-mostly ze distribution
service would be unwise to simply ignore TCP -- rather, it would be best
to answer UDP with TC=1 regardless of the query content. the ixfr/axfr
protocol also relies on NOTIFY, which is also a UDP-mostly protocol.
of course, a revised protocol could be specified for any given service
such as a "root zone distribution service" which required that only TCP
be used, for both the initial SOA query, and NOTIFY if any, and then the
transfer (ixfr or axfr.) in that event, the above clarification would be
More information about the dns-operations