[dns-operations] root? we don't need no stinkin' root!
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Nov 28 19:29:57 UTC 2019
On Thu, Nov 28, 2019 at 09:42:46AM +0100, Petr Špaček wrote:
> Please let me try again:
>
> Even if "the new system for root zone distribution" is BitTorrent it still:
> - (most likely) needs a set of static IP addresses to solve the bootstrap problem,
> - trackers need to be highly resilient against DDoS,
> - trackers most likely need to be anycasted to limit scope of DDoS.
>
> I hypothetise that in the end requirements for "the new system for root zone
> distribution" will be fairly close to current requirements for current DNS
> root system... so I do not see where the cost reduction comes from.
>
> Or in other words:
> If current root system must survive 1 TB/s attack so must the "the new system
> for root zone distribution" system, unless we move to decenralized root.
Yes, but the expected probability of a 1 TB/s attack is likely different for a
file transfer service over TCP than it is for a one-shot query service over
UDP. The chief reason being that refection of answers to forged source IPs is
not available with TCP, and so attacks on *other* systems via the root servers
are no longer attractive once the root servers just offer bulk data for
download via TCP.
So key question is whether the attacks we're seeing today are aimed at the root
servers themselves, or are DDoS reflection attacks on other systems. Of course
once we're in the business of waving magic wands, it would be très chic if all
network operators implemented BCP38, and compromised Internet of T!@#$% devices
were no longer able to mask their origin networks.
--
Viktor.
More information about the dns-operations
mailing list