[dns-operations] K-root in CN leaking outside of CN

Phillip Hallam-Baker phill at hallambaker.com
Sat Nov 6 17:25:26 UTC 2021


On Sat, Nov 6, 2021 at 12:52 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Sat, Nov 06, 2021 at 12:35:00PM -0400, Phillip Hallam-Baker wrote:
>
> > If the DNS protocol were sane the root zone would be published as a
> > notarized, chained append only log. Every DNS resolver would obtain a
> list
> > of updates to that log either directly or indirectly. There would be no
> > root server to poison or DDoS.
>
> https://localroot.isi.edu/about/


So near!

But the problems are that 1) you need to know you have the up to date copy.
so I think you want to go for a chain approach which naturally lends itself
to replication 2) you need an infrastructure that allows you to get updates
when the source is DDoSed and  3) this has to be turned on by default

I know this has been proposed multiple times. But it still isn't common let
alone standard operating procedure.


It should be of course because local root allows a resolver to kill
resolution of non existent TLDs which is 99% of the traffic they send to
the root.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/6def3a0f/attachment.html>


More information about the dns-operations mailing list