[dns-operations] root? we don't need no stinkin' root!

David Conrad drc at virtualized.org
Wed Nov 27 20:49:35 UTC 2019


> I think there is even more fundamental problem:
> Someone has to pay operational costs of "the new system”.

The “new system” is simply the existing network of resolvers, augmented to have the root zone.  As far as I can tell, the operational cost would be in (a) ensuring the resolver is upgraded to support obtaining the root zone and (b) dealing with the fetch of the root zone with some frequency.

There would be an additional cost, that of making the root zone available to myriads of resolvers, but I believe this is an easily handled issue.

> Personally I do not see how transition to another root-zone-distribution system solves the over-provisioning problem - the new system still has to be ready to absorm absurdly large DDoS attacks.

Two ways:
- greater decentralization: there are a lot more resolvers than the number of instances root server operators are likely to ever deploy. While an individual resolver might melt down, the impact would only be the end users using that resolver (and it is relatively easy for a resolver operator to add more capacity, mitigate the attacking client, etc).
- the cost of operating and upgrade the service to deal with DDoS is distributed to folks whose job it is to provide that service (namely the ISPs or other network operators that run the resolvers).  Remember that the root server operators have day jobs, some of which are not particularly related to running root service, and they are not (currently) being compensated for the costs of providing root service.

> Have a look at https://www.knot-dns.cz/benchmark/ <https://www.knot-dns.cz/benchmark/> . The numbers in charts at bottom of the page show that a *single server machine* is able to reply *all* steady state queries for the root today.
> ...
> Most of the money is today spent on *massive* over-provisioning. As an practical example, CZ TLD is over-provisiong factor is in order of *hunderds* of stead-state query traffic, and the root might have even more.

Yep. As mentioned before, steady state is largely irrelevant.

In my view, the fact that root service infrastructure funnels up to a (logical) single point is an architectural flaw that may (assuming DDoS attack capacity continues to grow at the current rate or even grows faster with crappy IoT devices) put the root DNS service at risk.  One of the advantages of putting the root zone in the resolver is that it mitigates that potential risk.

(Speaking for myself, not any organization I may be affiliated with)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191127/7d7e8490/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191127/7d7e8490/attachment.sig>

More information about the dns-operations mailing list