[Sorry for the slow response — US holidays and a resolution not to look at my computer over said holidays got in the way]
> On Nov 28, 2019, at 12:42 AM, Petr Špaček <petr.spa...@nic.cz> wrote: > On 27. 11. 19 21:49, David Conrad wrote: >> Petr, >> >>> I think there is even more fundamental problem: >>> Someone has to pay operational costs of "the new system”. >> >> The “new system” is simply the existing network of resolvers, augmented to >> have the root zone. As far as I can tell, the operational cost would be in >> (a) ensuring the resolver is upgraded to support obtaining the root zone and >> (b) dealing with the fetch of the root zone with some frequency. > > I hypothetise that in the end requirements for "the new system for root zone > distribution" will be fairly close to current requirements for current DNS > root system... so I do not see where the cost reduction comes from. Root zone distribution is on different timescales than root query service. Even if the root zone distribution service relies only on AXFR, an effective DDoS of that service based on SOA timers would need to be maintained for far longer than a DDoS against root service based on cache TTLs. And, of course, folks have already been looking at distributing the root zone via stuff other than AXFR (e.g., HTTPS). Further, the root servers have to respond to pretty much every DNS query that gets thrown at them, both UDP and TCP. A root zone distribution service would only need respond to AXFR/IXFR requests over TCP (and this could even be gated by whitelisting/blacklisting). Regards, -drc (Speaking for myself, not any organization I may be affiliated with)
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
