[dns-operations] root? we don't need no stinkin' root!

Tony Finch dot at dotat.at
Tue Nov 26 20:58:06 UTC 2019


I generally agree with Geoff Huston's thoughts on this subject
http://www.potaroo.net/ispcol/2019-04/root.html

Mirror zones (validated zone transfers) fall on the wrong side of the
cost/benefit equation for me. But I might change my mind if there were
better security for unauthenticated records (NS and glue), e.g.

* xfer-over-TLS - I'm really looking forward to support for authenticated
  server / anonymous client for zone transfers: nice for local root zones
  and cross-campus zone distribution.

* zone digests - interesting for end-to-end verification but maybe too
  complicated?


Mukund Sivaraman <muks at mukund.org> wrote:
>
> There are some Twitter feeds about what kinds of
> changes occur to the root zone and how frequently, e.g.:
>
> https://twitter.com/diffroot

Note that @diffroot does not tweet about changes to glue addresses which
happen a lot more frequently than NS and DS changes.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Biscay: Southwest, veering west, 6 to gale 8, occasionally severe gale 9 until
later. Rough or very rough becoming very rough or high, becoming very rough
later. Thundery showers. Good, occasionally poor.



More information about the dns-operations mailing list