[dns-operations] root? we don't need no stinkin' root!
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Thu Nov 28 17:49:19 UTC 2019
On 11/26/19 9:58 PM, Tony Finch wrote:
> Mirror zones (validated zone transfers) fall on the wrong side of the
> cost/benefit equation for me. But I might change my mind if there were
> better security for unauthenticated records (NS and glue)
These are why we only implemented the mechanism over HTTPS for now (in
addition to validating signatures).
https://knot-resolver.readthedocs.io/en/stable/modules.html#cache-prefilling
Still, I believe that a small resolver instance only needs a few DNS
queries to root (per TTL), so switching everyone to always transferring
the whole root should increase the total traffic considerably, and HTTPS
and XoT are probably more expensive than DNS-over-UDP given the same
traffic amount. That's where the aggressive-cache-only approach seems
nice, but (additionally) having full root would also avoid leaking any
of those garbage queries. (Except for those that hit an existing TLD,
but those can't be helped at the root level, and TLDs are generally too
big+dynamic for mirroring.)
--Vladimir
More information about the dns-operations
mailing list