> On Jul 31, 2018, at 5:44 AM, Philip Homburg <pch-dnso...@u-1.phicoh.com> > wrote: > > I wonder if there still is a use case for distributing the root zone. With > QNAME minimization and NXDOMAIN based on NSEC records, the major use cases > seem to be gone. Compared to other zones, the root is massively over > provisioned. So if (from an availability point of view) there is need to have > a local copy of the root, then you would need a local copy of .com as well.
A local copy of the root zone improves availability in and of itself because of its importance as the starting point of all resolution. While the root zone is indeed massively over provisioned, the bad guys will always be able to send more traffic: that's an un-winnable arms race. And over provisioning doesn't help me if reachability is poor from my particular vantage point. Availability will therefore always be a concern. Sure, a local copy of .com would (further) improve availability, but that's entirely impractical given the zone's size and rate of change. We're fortunate that the critically important root zone is small enough and changes infrequently enough that having a local copy is a realistic option. I don't think we should assume only (or even primarily) AXFR for root zone distribution on a massive scale. Building a scalable infrastructure for that is a significant expense that I don't think is necessary (for the root operators or anyone else) when distributing 2MB files is a problem that's been solved other ways many times over. Why not distribute the root zone via, for example, multiple CDNs? To verify the integrity of the downloaded zone one could validate all the RRSIGs, but that opens up the DOS and privacy attacks that have been described elsewhere in this discussion. And even if we issue admonitions to not have a local copy of the root zone without also enabling DNSSEC validation, we know that realistically there will be those who do the former without the latter. For all those reasons, I think a checksum in the zone file itself that can be verified with DNSSEC is the best option for this use case, and I like the ZONEMD solution. Matt _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop