* Mark Allman: > Let me try to get away from what is or is not "big" and ask two > questions. (These are legit questions to me. I have studied the > DNS a whole bunch, but I do not operate any non-trivial part of the > DNS and so that viewpoint is valuable to me.) > > (1) Setting aside history and how things have been done and why > (which I am happy to stipulate is rational)... At this point, > are there tangible benefits for getting information about the > TLD nameservers to resolvers as needed via a network service? > > (2) Are there fundamental problems that would arise in recursive > resolvers if the information about TLD nameservers was no longer > available via a network service, but instead had to come from a > file that was snarfed periodically?
What's the change rate for the root zone? If there is a full transition of the name server addresses for a zone, how long does it typically take from the first change to the completion of the sequence of changes? If the answer, “this has never happened”, then using a fairly static data source should probably be okay (similar to how the browser PKI is maintained). Due to the way DNSSEC works with its periodic renewal of signatures, validating non-recursive resolvers will automatically verify the freshness of the local root zone copy. Even if there are few such clients, I expect that for most operators, it will effectively prevent undetected decay due to a stale root zone (where more and more stale delegations accumulate until performance is seriously impacted, and fresh bootstrap using external data is needed). The other question is whether that data source will make it harder for ICANN or someone else to hand over control over the TLD in a unilateral manner. And then it's not even clear whether that's a good thing or not. Other uncertainties relate to the size of the root zone. It seems that the phase of aggressive growth is more or less over. But hard-coding an assumption that resolvers can load the root zone into memory is on a different level because it limits policy basically for forever. I've thought a bit whether the root domain list should be pushed into (non-validating) stub resolvers, but I don't think that's possible because people really like to use local domains. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
