On Jul 9, 2014, at 10:45 AM, Paul Vixie <[email protected]> wrote: > Paul Hoffman wrote: >> Given that you are one of the co-authors of draft-lee-dnsop-scalingroot, can >> you say why your authoritative proposal is significantly better than the >> current operational base? >> > > yes. in <https://www.icann.org/en/system/files/files/report-21feb14-en.pdf> > (section 9.4) i wrote as follows: > > << Criticisms of the current and historical Root Name Server System include > lack of resistance to DDoS > attack, noting that even with the current wide scale anycasting by every Root > Name Server Operator, > there are still only a few hundred name servers in the world who can answer > authoritatively for the DNS > root zone. We are also concerned that reachability of the Root Name Server > System is required even for > purely local communication, since otherwise local clients have no way to > discover local services. In a > world sized distributed system like the Internet, critical services ought to > be extremely well distributed. >>
Apologies, but that doesn't answer the question. In the face of lack of resistance to DDoS attacks, why is it better to have more *authoritative* root servers, as compared to validating recursive resolvers that have an up-to-date signed copy of the root? Similarly, for purely local communication, why is it better to have more *authoritative* root servers? The last sentence above makes good sense, but it too is not related to the number authoritative servers. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
