Doug Barton <do...@dougbarton.us> wrote: > > Slaving the root and ARPA zones is a small benefit to performance for a busy > resolver, [...]
> This technique is particularly useful for folks in bad/expensive network > conditions. While the current anycast networks of root servers is much better > than it was "in the old days," the more data you have locally the more > resilient you are to DDOS against those targets. I should probably have said that it isn't just RFC 8198: * synth-from-dnssec (RFC 8198) synthesizes negative answers, so in most cases you don't need to talk to the authorities to find out that the answer is no; this is on by default * prefetch (https://tools.ietf.org/html/draft-wkumari-dnsop-hammer [1]) means your users won't suffer the latency of talking to the authorities when a popular name expires from the cache; this is on by default * stale-answer-enable / max-stale-ttl (https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale) means you can still function for a while if you can't reach the authorities These are all general-purpose features, not at all specific to the root. I think a local root was clearly a good idea before DNSSEC; since 2010 I have been less comfortable with it. [1] contains possibly my favourite ack ever Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Sole, Lundy, Fastnet: Southwest veering west, 4 or 5, increasing 6 for a time. Moderate or rough, occasionally slight later. Rain then showers. Moderate or poor, becoming good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users