In message <20090804033135.gb4...@shinkuro.com>, Andrew Sullivan writes: > As usual when posting to this list, I am wearing no hat. > > On Wed, Jul 29, 2009 at 01:59:08PM +1000, Mark Andrews wrote: > > > Having a local copy of the root zone is a much better > > way to deal with queries to the root. > > Is that really the advice we are giving people these days? It strikes > me that in other contexts, a similar suggestion has been derided as > foolhardy, dangerous, and susceptible to evil behaviour by ISPs and > others. > > Confused, > > A
It has always been the best way to deal with garbage queries to the root as it is the only method that deals with spread of query names from unqualified queries being tried at the root. Some people think that it may be abused by ISP's which replace the root with a alternate content. This is a bogus worry as they have always been able to do that. They could also just as easily point the hints at alternate root servers. Some people think that the copy may become outdated which can easily be addresses by using automated methods to keep the local copy in sync. AXFR/IXFR from the root servers works as does a regularly ftping it. Some people worry that AXFR/IXFR from the root servers will put too much load on them. AXFR/IXFR actually shifts the load pattern around and should reduce it. AXFR/IXFR chain so you can one or two nameservers copying the content from the root servers and the rest of the servers in the organisation transfer from them future reducing the load on the actual root servers at a cost of small update delay, this delay can be reduce by the use of explicit notifies from the servers doing the fetches from the roots. Some people worry that it will take too long for error in handling of the root zone content to be corrected. Recursive that AXFR/IXFR the root content will actually be better than those that don't as AXFR/IXFR will cause bad data to be flushed sooner that TTL expiry would. What will go away is the root operator's ability to snoop on queries as they will no longer be going to the root servers but will instead be processed locally. The only real downside is that ICANN could cause the root zone to grow too big for the local resolver. Note with a signed root it is easier to detect both replacement of the contents and stale content. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
