[dns-operations] root? we don't need no stinkin' root!

Petr Špaček petr.spacek at nic.cz
Wed Nov 27 15:54:48 UTC 2019

On 27. 11. 19 9:53, Ondřej Surý wrote:
> Mark,
> I believe that any distributed system that won’t have a fallback to the RZ
> is inevitably doomed and will get out of sync.
> The RFC7706 works because there’s always a safe guard and if the resolver
> is unable to use mirrored zone, it will go to the origin.
> Call me a pessimist, but I’ve yet to see a loosely often neglected distributed system
> that won’t get out of sync.
> So, while the idea of distributing the full RZ to every resolver out there, there are two
> fundamental problems:
> 1. resilience - both against DoS and just plain breakage
> 2. the old clients - while the situation out there is getting better, we will still be stuck with
>     old codebase for foreseeable future
> What we can do is to make the load on RZ servers lighter, but we can’t make them just go.

I think there is even more fundamental problem:
Someone has to pay operational costs of "the new system".

Personally I do not see how transition to another root-zone-distribution system solves the over-provisioning problem - the new system still has to be ready to absorm absurdly large DDoS attacks.

Have a look at https://www.knot-dns.cz/benchmark/ . The numbers in charts at bottom of the page show that a *single server machine* is able to reply *all* steady state queries for the root today.

Sure, we have speed-of-light limits, so let's say we need couple hunderd servers in well connected places to keep reasonable latency. That's not a huge cost overall (keep in mind that these local nodes could be pretty small *if we were ignoring the over-provisioning problem*).

Most of the money is today spent on *massive* over-provisioning. As an practical example, CZ TLD is over-provisiong factor is in order of *hunderds* of stead-state query traffic, and the root might have even more.

Once we have similarly resilient HTTP system it is matter of simple configuration :-D

Petr Špaček  @  CZ.NIC

More information about the dns-operations mailing list