Re: [dns-operations] root? we don't need no stinkin' root!

> Still, I believe that a small resolver instance only needs a few > DNS queries to root (per TTL), so switching everyone to always > transferring the whole root should increase the total traffic > considerably, An anecdote here ... I crunched a day's worth of DNS traffic originated at ICSI (wh

Re: [dns-operations] root? we don't need no stinkin' root!

>> On 11 Dec 2019, at 12:51, Stephane Bortzmeyer wrote: >> >> IMHO, this is by far the biggest issue with your proposal: TLDs change >> from one technical operator to another and, when it happens, all name >> servers change at once. > > That’s not correct. > > In principle, they could all change

Re: [dns-operations] root? we don't need no stinkin' root!

Hi Stephane! Thanks for the note. I have been thinking about this point a bit. > IMHO, this is by far the biggest issue with your proposal: TLDs > change from one technical operator to another and, when it > happens, all name servers change at once. Should your proposal be > implemented, we wo

Re: [dns-operations] root? we don't need no stinkin' root!

Matthew Pounsett wrote: > I have yet to witness anyone splitting the NS change up into multiple > IANA requests. Amazon did it with their TLDs earlier this year, which is notable because there were/are so many of them. There have been plenty of other examples of staged switch-overs. https://git

Re: [dns-operations] root? we don't need no stinkin' root!

Florian Weimer wrote on 2019-12-11 12:16: * Jason Livingood: ... The real question is whether any distribution will be a substantial improvement over what we have today with NSEC-based NXDOMAIN synthesis for the root. I doubt it. i am +1 to this comment, but in a way that requires expla

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, 11 Dec 2019 at 08:24, Jim Reid wrote: > > In principle, they could all change at once, In reality, they don’t. > > This absolutely does happen. I've been at the helm of several operator changes on TLDs that saw all the NS reco

Re: [dns-operations] root? we don't need no stinkin' root!

* Jason Livingood: > Seems like the answer then is to have the resolver check for updates > more frequently. The file is tiny and so this is not in the least > going to be resource-intensive. Just check every XX minutes. I had hoped that we could use distribution update mechanisms for the zone, l

Re: [dns-operations] root? we don't need no stinkin' root!

* Stephane Bortzmeyer: > It doesn't matter. Everything is done in a few days. For a resolver > updating its copy of the root every month, this is enough to break > things. Agreed. A fancy distribution protocol would be needed instead. (I see parallels here with compiler changes where people cla

Re: [dns-operations] root? we don't need no stinkin' root!

jreid> In principle, they could all change at once, In reality, they jreid> don't. dot> But they do. Vanuatu did yesterday, and I mentioned some other dot> recent examples in this thread a couple of weeks ago: dot> https://lists.dns-oarc.net/pipermail/dns-operations/2019-November/019486.html Yup

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 03:51:14PM +, Livingood, Jason wrote a message of 7 lines which said: > Seems like the answer then is to have the resolver check for updates > more frequently. The file is tiny and so this is not in the least > going to be resource-intensive. Just check every XX min

Re: [dns-operations] root? we don't need no stinkin' root!

> It doesn't matter. Everything is done in a few days. For a resolver updating its copy of the root every month, this is enough to break things. Seems like the answer then is to have the resolver check for updates more frequently. The file is tiny and so this is not in the least going to

Re: [dns-operations] root? we don't need no stinkin' root!

Jim Reid wrote: > > In principle, they could all change at once, In reality, they don’t. But they do. Vanuatu did yesterday, and I mentioned some other recent examples in this thread a couple of weeks ago: https://lists.dns-oarc.net/pipermail/dns-operations/2019-November/019486.html Tony. -- f.

Re: [dns-operations] root? we don't need no stinkin' root!

> Em 11 de dez de 2019, à(s) 10:20:000, Jim Reid escreveu: > > > >> On 11 Dec 2019, at 12:51, Stephane Bortzmeyer wrote: >> >> IMHO, this is by far the biggest issue with your proposal: TLDs change >> from one technical operator to another and, when it happens, all name >> servers change at

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 01:20:13PM +, Jim Reid wrote a message of 22 lines which said: > In principle, they could all change at once, In reality, they > don’t. When making a change of this nature, established wisdom is to > change half of the NS records (or their glue), wait a few days to

Re: [dns-operations] root? we don't need no stinkin' root!

> On 11 Dec 2019, at 12:51, Stephane Bortzmeyer wrote: > > IMHO, this is by far the biggest issue with your proposal: TLDs change > from one technical operator to another and, when it happens, all name > servers change at once. That’s not correct. In principle, they could all change at once,

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, Dec 02, 2019 at 10:17:30AM -0500, Mark Allman wrote a message of 36 lines which said: > Obviously, there could be a more comprehensive analysis, but I think > that gives some idea about how stable the root zone file is in > practice. IMHO, this is by far the biggest issue with your pr

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Nov 27, 2019 at 10:38:32AM -0500, Keith Mitchell wrote a message of 37 lines which said: > On garbage-collecting crap traffic, it's worth looking at AS112. There have been a proposal at IETF to use AS112 as a sinkhole for "special" TLDs such as .local or .home, which are responsible f

Re: [dns-operations] root? we don't need no stinkin' root!

Mark Allman wrote: > > Obviously, there could be a more comprehensive analysis I have a 3.5GB git repository containing 14500 commits with versions of the root zone going back to March 2014, if anyone wants something to analyse. I also have a BIND root.jnl file (140MB gzipped) which appears to st

Re: [dns-operations] root? we don't need no stinkin' root!

David Conrad wrote on 2019-12-04 08:31: [Sorry for the slow response — US holidays and a resolution not to look at my computer over said holidays got in the way] ... Further, the root servers have to respond to pretty much every DNS query that gets thrown at them, both UDP and TCP. A root zon

Re: [dns-operations] root? we don't need no stinkin' root!

[Sorry for the slow response — US holidays and a resolution not to look at my computer over said holidays got in the way] > On Nov 28, 2019, at 12:42 AM, Petr Špaček wrote: > On 27. 11. 19 21:49, David Conrad wrote: >> Petr, >> >>> I think there is even more fundamental problem: >>> Someone has

Re: [dns-operations] root? we don't need no stinkin' root!

-operations on behalf of Rubens Kuhl Date: Friday, November 29, 2019 at 8:38 PM To: "dns-operations@lists.dns-oarc.net" Subject: [EXTERNAL] Re: [dns-operations] root? we don't need no stinkin' root! The data could have monetary value. Passwords that are otherwise difficult

Re: [dns-operations] root? we don't need no stinkin' root!

On Dec 2, 2019, at 3:09 PM, Mark Allman wrote: > > For reachability, it is not enough to consider the nameserver IP > > addresses, did you also check DS record stability? > > I did not. I was more interested in understanding how much the > infrastructure churned. To me the crypto stuff is confi

Re: [dns-operations] root? we don't need no stinkin' root!

> For reachability, it is not enough to consider the nameserver IP > addresses, did you also check DS record stability? I did not. I was more interested in understanding how much the infrastructure churned. To me the crypto stuff is config that we can more readily hack. And, while I didn't s

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, Dec 02, 2019 at 10:17:30AM -0500, Mark Allman wrote: > Not a direct answer to your question, but a couple empirical bits from > the paper that started this thread ... > > We analyzed a snapshot of the root zone file from each day in > April, 2019. On the first of the month the ro

Re: [dns-operations] root? we don't need no stinkin' root!

Hi Florian! > What's the change rate for the root zone? If there is a full > transition of the name server addresses for a zone, how long does > it typically take from the first change to the completion of the > sequence of changes? Not a direct answer to your question, but a couple empirical

Re: [dns-operations] root? we don't need no stinkin' root!

> On 30 Nov 2019, at 14:31, Keith Mitchell wrote: > > On 11/29/19 8:32 PM, Rubens Kuhl wrote: > >> including making studies that other parties can't reproduce due to >> being limited to DITL data. > > DITL data is available to any party who signs an OARC Data Sharing > agreement. Keith, D

Re: [dns-operations] root? we don't need no stinkin' root!

On 11/29/19 8:32 PM, Rubens Kuhl wrote: > including making studies that other parties can't reproduce due to > being limited to DITL data. DITL data is available to any party who signs an OARC Data Sharing agreement. Keith ___ dns-operations mailing li

Re: [dns-operations] root? we don't need no stinkin' root!

>> >> The data could have monetary value. Passwords that are otherwise >> difficult to come by might be leaking. > > Hi Florian, > > I can assure you that Verisign does not monetize the root server data. If > any other operators do, I'm not aware of it. > > We do utilize root server data for

Re: [dns-operations] root? we don't need no stinkin' root!

On 29/11/2019 19:34, Tony Finch wrote: > Attackers can get a small amplification from SYN/ACK retries, and this is > being used in the wild. > > https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/1336339 This isn't small. It'd be good to know _what_

Re: [dns-operations] root? we don't need no stinkin' root!

On Fri, Nov 29, 2019 at 09:17:32PM +0100, Tom Ivar Helbekkmo wrote: > > Attackers can get a small amplification from SYN/ACK retries, and this > > is being used in the wild. > > Can you actually implement a TCP stack without that possibility? Not in general, but if for a particular service the c

Re: [dns-operations] root? we don't need no stinkin' root!

On Fri, Nov 29, 2019 at 07:34:56PM +, Tony Finch wrote: > Viktor Dukhovni wrote: > > > > refection of answers to forged source IPs is not available with TCP > > Attackers can get a small amplification from SYN/ACK retries, and this is > being used in the wild. > > https://www.darkreading.co

Re: [dns-operations] root? we don't need no stinkin' root!

Tom Ivar Helbekkmo wrote: > > Can you actually implement a TCP stack without that possibility? I vaguely speculate that it would be better to rely on SYN retries and abolish SYN/ACK retries, but I have no idea what it might break. Tony. -- f.anthony.n.finchhttp://dotat.at/ safeguard the bal

Re: [dns-operations] root? we don't need no stinkin' root!

--- Begin Message --- Tony Finch writes: > Attackers can get a small amplification from SYN/ACK retries, and this > is being used in the wild. Can you actually implement a TCP stack without that possibility? -tih -- Most people who graduate with CS degrees don't understand the significance of

Re: [dns-operations] root? we don't need no stinkin' root!

Florian Weimer wrote: > > But does anyone swap out the name servers for a TLD over the course of > five days? Complete replacement of delegation NS RRsets happens fairly frequently. I don't pay attention to the glue, tho, so I don't know how often these are just renames as opposed to server platf

Re: [dns-operations] root? we don't need no stinkin' root!

Viktor Dukhovni wrote: > > refection of answers to forged source IPs is not available with TCP Attackers can get a small amplification from SYN/ACK retries, and this is being used in the wild. https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/133633

Re: [dns-operations] root? we don't need no stinkin' root!

On Thu, Nov 28, 2019 at 09:42:46AM +0100, Petr Špaček wrote: > Please let me try again: > > Even if "the new system for root zone distribution" is BitTorrent it still: > - (most likely) needs a set of static IP addresses to solve the bootstrap > problem, > - trackers need to be highly resilient

Re: [dns-operations] root? we don't need no stinkin' root!

mallman> I wonder if we're ever allowed to just decide this sort of mallman> thing is ridiculous old shit and for lots of reasons we can and mallman> should just garbage collect it away. ebersman> We aren't allowed as IETF/engineers. The world sort of is. ;) tale> I see the :) but I'm thinking th

Re: [dns-operations] root? we don't need no stinkin' root!

Paul Ebersman writes: > mallman> I wonder if we're ever allowed to just decide this sort of > mallman> thing is ridiculous old shit and for lots of reasons we can and > mallman> should just garbage collect it away. > > We aren't allowed as IETF/engineers. The world sort of is. ;) I see the :) but

Re: [dns-operations] root? we don't need no stinkin' root!

On Wednesday, 27 November 2019 15:38:32 UTC Keith Mitchell wrote: > ... > > While AS112 makes a difference, it is far from ubiquitous or optimal. > Probably there are gains to be made from more aggressive co-ordination > and advocacy (*), but I suspect these would need stronger resource > support

Re: [dns-operations] root? we don't need no stinkin' root!

On 11/26/19 9:58 PM, Tony Finch wrote: > Mirror zones (validated zone transfers) fall on the wrong side of the > cost/benefit equation for me. But I might change my mind if there were > better security for unauthenticated records (NS and glue) These are why we only implemented the mechanism over H

Re: [dns-operations] root? we don't need no stinkin' root!

On 27. 11. 19 21:49, David Conrad wrote: > Petr, > >> I think there is even more fundamental problem: >> Someone has to pay operational costs of "the new system”. > > The “new system” is simply the existing network of resolvers, augmented to > have the root zone.  As far as I can tell, the opera

Re: [dns-operations] root? we don't need no stinkin' root!

* Ondřej Surý: >> Raw change rates do not tell us if zones keep at least of some of >> their servers at constant addresses over really, really long >> periods of time. > > .bank > - deleted NS {ac1|ac2}.nstld.com. and added NS {a|b|c}.nic.bank. on November > 20 > and > - deleted NS {ac3|ac4}.nstl

Re: [dns-operations] root? we don't need no stinkin' root!

> On 28 Nov 2019, at 08:09, Florian Weimer wrote: > > * Ondřej Surý: > >>> On 27 Nov 2019, at 23:08, Florian Weimer wrote: >>> * Mark Allman: >>> Let me try to get away from what is or is not "big" and ask two questions. (These are legit questions to me. I have studied the DN

Re: [dns-operations] root? we don't need no stinkin' root!

* Ondřej Surý: >> On 27 Nov 2019, at 23:08, Florian Weimer wrote: >> >> What's the change rate for the root zone? > > https://twitter.com/diffroot Selective quoting does not help to further the discussion. Raw change rates do not tell us if zones keep at least of some of their servers at const

Re: [dns-operations] root? we don't need no stinkin' root!

> On 27 Nov 2019, at 23:08, Florian Weimer wrote: > > What's the change rate for the root zone? https://twitter.com/diffroot O. -- Ondřej Surý ond...@sury.org ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.

Re: [dns-operations] root? we don't need no stinkin' root!

* Jared Mauch: >> On Nov 27, 2019, at 5:26 PM, Florian Weimer wrote: >> >> What's the change rate for the root zone? If there is a full >> transition of the name server addresses for a zone, how long does it >> typically take from the first change to the completion of the sequence >> of changes

Re: [dns-operations] root? we don't need no stinkin' root!

> On Nov 27, 2019, at 5:26 PM, Florian Weimer wrote: > > What's the change rate for the root zone? If there is a full > transition of the name server addresses for a zone, how long does it > typically take from the first change to the completion of the sequence > of changes? There are regula

Re: [dns-operations] root? we don't need no stinkin' root!

* Mark Allman: > Let me try to get away from what is or is not "big" and ask two > questions. (These are legit questions to me. I have studied the > DNS a whole bunch, but I do not operate any non-trivial part of the > DNS and so that viewpoint is valuable to me.) > > (1) Setting aside history a

Re: [dns-operations] root? we don't need no stinkin' root!

Petr, > I think there is even more fundamental problem: > Someone has to pay operational costs of "the new system”. The “new system” is simply the existing network of resolvers, augmented to have the root zone. As far as I can tell, the operational cost would be in (a) ensuring the resolver is

Re: [dns-operations] root? we don't need no stinkin' root!

I've been following this thread, and I'm well aware of the massive amounts of NXDOMAIN stuff. I don't know enough about this specific issue. But there are things which happen in Browser Land which would lead me to naively conclude the people making browsers don't understand DNS. Two recent (ac

Re: [dns-operations] root? we don't need no stinkin' root!

--- Begin Message --- > On Nov 25, 2019, at 1:23 PM, Bill Woodcock wrote: > >> On Nov 25, 2019, at 9:54 PM, Florian Weimer wrote: >> The query numbers are surprisingly low. To me at last. > > Duane Wessels did a good study some time ago of queries to the root. I > believe over 99% were bog

Re: [dns-operations] root? we don't need no stinkin' root!

--- Begin Message --- > On Nov 25, 2019, at 2:19 PM, Florian Weimer wrote: > > * Jim Reid: > >>> On 25 Nov 2019, at 20:54, Florian Weimer wrote: >>> Is it because of the incoming data is interesting? >> >> Define interesting. > > The data could have monetary value. Passwords that are other

Re: [dns-operations] root? we don't need no stinkin' root!

On 26. 11. 19 12:46, David Conrad wrote: > On Nov 26, 2019, at 11:33 AM, Jim Reid > wrote: >>> On 26 Nov 2019, at 09:16, Florian Weimer >> > wrote: >>> >>> Up until recently, well-behaved recursive resolvers had to forward >>> queries to the root

Re: [dns-operations] root? we don't need no stinkin' root!

On 27. 11. 19 9:53, Ondřej Surý wrote: > Mark, > > I believe that any distributed system that won’t have a fallback to the RZ > is inevitably doomed and will get out of sync. > > The RFC7706 works because there’s always a safe guard and if the resolver > is unable to use mirrored zone, it will go

Re: [dns-operations] root? we don't need no stinkin' root!

On 11/26/19 7:40 PM, Mark Allman wrote: > I wonder if we're ever allowed to just decide this sort of thing is > ridiculous old shit and for lots of reasons we can and should just > garbage collect it away. To some extent, "get rid of ridiculous old sh*t" is kind of what the DNS Flag Days are wor

Re: [dns-operations] root? we don't need no stinkin' root!

On 26. 11. 19 16:04, Roy Arends wrote: > > >> On 26 Nov 2019, at 12:46, David Conrad wrote: >> >> It would appear a rather large percentage of queries to the root (like 50% >> in some samples) are random strings, between 7 to 15 characters long, >> sometimes longer. I believe this is Chrome-s

Re: [dns-operations] root? we don't need no stinkin' root!

Mark, I believe that any distributed system that won’t have a fallback to the RZ is inevitably doomed and will get out of sync. The RFC7706 works because there’s always a safe guard and if the resolver is unable to use mirrored zone, it will go to the origin. Call me a pessimist, but I’ve yet to

Re: [dns-operations] root? we don't need no stinkin' root!

I tend to functional questions in these matters. This is not a symmetric pair, but they go to different sides of the problem 1) what will happen if we imagine these queries not being answered? A hypothetical (*and, its not zero cost*) front-end process which drops them 2) what is the consequence

Re: [dns-operations] root? we don't need no stinkin' root!

ebersman> IPv4 reachable traditional DNS servers for some tiny group of ebersman> antique folks will be needed for years, even if we get 99+% of ebersman> the world to some new system. mallman> I wonder if we're ever allowed to just decide this sort of mallman> thing is ridiculous old shit and for

Re: [dns-operations] root? we don't need no stinkin' root!

Hi Paul! > The biggest problem I see here is the legacy/long-tail problem. As > of a few years ago, I bumped into BIND 4 servers still > active. Wouldn't be shocked to hear they are still being used. > > IPv4 reachable traditional DNS servers for some tiny group of > antique folks will be needed

Re: [dns-operations] root? we don't need no stinkin' root!

I generally agree with Geoff Huston's thoughts on this subject http://www.potaroo.net/ispcol/2019-04/root.html Mirror zones (validated zone transfers) fall on the wrong side of the cost/benefit equation for me. But I might change my mind if there were better security for unauthenticated records

Re: [dns-operations] root? we don't need no stinkin' root!

mallman> Setting aside history and how things have been done and why mallman> (which I am happy to stipulate is rational)... At this point, mallman> are there tangible benefits for getting information about the mallman> TLD nameservers to resolvers as needed via a network service? The biggest prob

Re: [dns-operations] root? we don't need no stinkin' root!

ebersman> Actually, it's a great argument for longer TTLs and caching ebersman> doing what they're supposed to. jim> It would be if the root only got queries from well behaved jim> recursive resolvers. But we both know Paul that simply isn't true. jim> Well over 90% of the query traffic at the ro

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, 25 Nov 2019 20:30:32 + Mark Allman wrote: > Left here to be ripped apart ... :-) Hello Mark, Without making any explicit remarks on your paper or on the following, in case you missed it, I remembered I had seen something like this proposed before: Domain Name System Without Root

Re: [dns-operations] root? we don't need no stinkin' root!

On Tue, Nov 26, 2019 at 08:41:51AM -0500, Mark Allman wrote: > > Let me try to get away from what is or is not "big" and ask two > questions. (These are legit questions to me. I have studied the > DNS a whole bunch, but I do not operate any non-trivial part of the > DNS and so that viewpoint is

Re: [dns-operations] root? we don't need no stinkin' root!

> On 26 Nov 2019, at 12:46, David Conrad wrote: > > It would appear a rather large percentage of queries to the root (like 50% in > some samples) are random strings, between 7 to 15 characters long, sometimes > longer. I believe this is Chrome-style probing to determine if there is > NXDOMA

Re: [dns-operations] root? we don't need no stinkin' root!

Mark > On 26 Nov 2019, at 14:49, Mark Allman wrote: > > >> It would appear a rather large percentage of queries to the root >> (like 50% in some samples) are random strings, between 7 to 15 >> characters long, sometimes longer. I believe this is Chrome-style >> probing to determine if there is

Re: [dns-operations] root? we don't need no stinkin' root!

> It would appear a rather large percentage of queries to the root > (like 50% in some samples) are random strings, between 7 to 15 > characters long, sometimes longer. I believe this is Chrome-style > probing to determine if there is NXDOMAIN redirection. A good > example of the tragedy of the

Re: [dns-operations] root? we don't need no stinkin' root!

Yes, in the long term you can only survive by being both large and clever, not just one or the other. -Bill > On Nov 26, 2019, at 13:03, David Conrad wrote: > > On Nov 26, 2019, at 11:33 AM, Jim Reid wrote: >>> On 26 Nov 2019, at 09:16, Florian Weimer wrote: >>> >>> U

Re: [dns-operations] root? we don't need no stinkin' root!

Let me try to get away from what is or is not "big" and ask two questions. (These are legit questions to me. I have studied the DNS a whole bunch, but I do not operate any non-trivial part of the DNS and so that viewpoint is valuable to me.) (1) Setting aside history and how things have been d

Re: [dns-operations] root? we don't need no stinkin' root!

On Nov 26, 2019, at 11:33 AM, Jim Reid wrote: >> On 26 Nov 2019, at 09:16, Florian Weimer > > wrote: >> >> Up until recently, well-behaved recursive resolvers had to forward >> queries to the root if they were not already covered by a delegation. >> RFC 7816 and in part

Re: [dns-operations] root? we don't need no stinkin' root!

* Jim Reid: >> On 26 Nov 2019, at 09:16, Florian Weimer wrote: >> >> Up until recently, well-behaved recursive resolvers had to forward >> queries to the root if they were not already covered by a delegation. >> RFC 7816 and in particular RFC 8198 changed that, but before that, it >> was just ho

Re: [dns-operations] root? we don't need no stinkin' root!

> On 26 Nov 2019, at 09:16, Florian Weimer wrote: > > Up until recently, well-behaved recursive resolvers had to forward > queries to the root if they were not already covered by a delegation. > RFC 7816 and in particular RFC 8198 changed that, but before that, it > was just how the protocol w

Re: [dns-operations] root? we don't need no stinkin' root!

* Jim Reid: >> On 25 Nov 2019, at 22:19, Florian Weimer wrote: >> >>> What do you consider to be a lot of queries? The root server system >>> collectively handles 500K-1M queries per second. That seems rather a >>> lot to me. YMMV. >> >> But globally? For the entire planet? > > Yes. If you con

Re: [dns-operations] root? we don't need no stinkin' root!

> On 25 Nov 2019, at 22:31, Paul Ebersman > wrote: > > Actually, it's a great argument for longer TTLs and caching doing what > they're supposed to. It would be if the root only got queries from well behaved recursive resolvers. But we both know Paul that simply isn't true. Well over 90% o

Re: [dns-operations] root? we don't need no stinkin' root!

> On 25 Nov 2019, at 22:19, Florian Weimer wrote: > >> What do you consider to be a lot of queries? The root server system >> collectively handles 500K-1M queries per second. That seems rather a >> lot to me. YMMV. > > But globally? For the entire planet? Yes. If you consider a well-behaved

Re: [dns-operations] root? we don't need no stinkin' root!

Funny you should mention this. It just occurred to me, although it also apparently occurred to one other soul on the dnsrpz mailing list, you can use RPZ to audit and to some extent contain leakage. Assuming you own example.com, I'm speaking about entries akin to the following: *.example.exa

Re: [dns-operations] root? we don't need no stinkin' root!

jim> What do you consider to be a lot of queries? The root server system jim> collectively handles 500K-1M queries per second. That seems rather jim> a lot to me. YMMV. fw> But globally? For the entire planet? fw> It's certainly beyond what I can run out of my basement using spare fw> parts, but

Re: [dns-operations] root? we don't need no stinkin' root!

* Jim Reid: >> On 25 Nov 2019, at 20:54, Florian Weimer wrote: >> >> The query numbers are surprisingly low. To me at last. > > What do you consider to be a lot of queries? The root server system > collectively handles 500K-1M queries per second. That seems rather a > lot to me. YMMV. But glob

Re: [dns-operations] root? we don't need no stinkin' root!

> On 25 Nov 2019, at 20:54, Florian Weimer wrote: > > The query numbers are surprisingly low. To me at last. What do you consider to be a lot of queries? The root server system collectively handles 500K-1M queries per second. That seems rather a lot to me. YMMV. I don't know of any other I

Re: [dns-operations] root? we don't need no stinkin' root!

> On Nov 25, 2019, at 9:54 PM, Florian Weimer wrote: > The query numbers are surprisingly low. To me at last. Duane Wessels did a good study some time ago of queries to the root. I believe over 99% were bogus, not real queries for resolvable things. > Do we know why the number of root insta

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, Nov 25, 2019 at 09:54:55PM +0100, Florian Weimer wrote: > Do we know why the number of root instances has increased? Is it > because of the incoming data is interesting? I would venture the latter. This remains a seriously underdiscussed subject. There is of course "logging of all data"

Re: [dns-operations] root? we don't need no stinkin' root!

* Mark Allman: > Left here to be ripped apart ... :-) The query numbers are surprisingly low. To me at last. Do we know why the number of root instances has increased? Is it because of the incoming data is interesting? ___ dns-operations mailing list

[dns-operations] root? we don't need no stinkin' root!

Left here to be ripped apart ... :-) Mark Allman. On Eliminating Root Nameservers from the DNS, ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), November 2019. https://www.icir.org/mallman/pubs/All19b/ Abstract: The Domain Name System (DNS) leverages nearly 1K distributed