On Jul 7, 2014, at 4:36 PM, Paul Vixie <[email protected]> wrote: >>> that's why query minimization is the preferred solution to this problem. >> This isn't either/or. > are you proposing to solve problem A (junk queries at the root) and problem B > (junk queries at tld's and pseudo-tld's) using different mechanisms? why is > the cost of a second mechanism worth paying, if a single mechanism would > solve both problems?
Query minimization and slaving the root focus on solving different problems. For example, query minimization does nothing to reduce systemic vulnerability to DoS. Both should probably be done. > put it the other way. as a domain holder, i'd like the system recommended by > IETF whereby my delegation data is distributed to be as error-unlikely as > possible. As a user of the Internet, I'd like the system recommended by the IETF to scale in the face of ISPs being unable to address DoS in any effective way. The root of the DNS, concentrated in the hands of 24 (still not 26, sigh) IP addresses, is and always has been non-scalable -- we just didn't have a zillion botnet zombies rubbing our noses in it. Worse the existing system relies on the goodwill and potentially unbounded donation of resources from folks who aren't paid to provide the service. When you, I, and the Internet were younger, this (arguably) made sense but the Internet has changed (not to mention you and I). Slaving the root means the folks who are getting paid to provide domain resolution service to their customers are no longer dependent on the kindness of strangers, the single point of failure represented by the real-time query response requirement of root servers can be avoided, latency is reduced for queries for non-existant names, and information leakage can be minimized. The main argument against slaving the root I've seen appears to me to be FUD: "people running resolvers are too stupid to configure slaving the root correctly so root data will go stale!" (paraphrased). I've no doubt some folks will get it wrong, however again, this is a self-correcting problem that impacts a fraction of the Internet at large. If nothing else, repeated failure of a resolver operator to fix their slave configuration will result either in migration to folks who can get it right or people running their own resolvers. Seems like a win to me. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
