On Fri, Jan 23, 2026 at 10:06 PM, John Levine <[email protected]> wrote:
> 1. Root servers SHOULD offer open AXFR over TCP* (perhaps updating RFC > 7720). > > It appears that Wes Hardaker <[email protected]> said: > > Zone file over HTTP has a number of advantages, according at least the > views of a few people that I've talked with (and they should speak up > here). One obvious one is negotiated compression (mentioned in the > document) and potentially better global load balancing infrastructure. > > The advantage of AXFR is that DNS servers know how to use it to keep a > copy of a zone up to date. > > The advantage of http is that we know how to use it to distribute files at > scale -- that's a CDN. > > It is not obvious to me which will be more difficult to set up in the > short run and maintain in the long run, create AXFR CDNs, or add features > to DNS servers to fetch updated zones via http. > I'll note that both the Knot ( https://knot-resolver.readthedocs.io/en/stable/modules-prefill.html) and Unbound ( https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-auth-url) example configurations use already HTTPS to perform this functionality, so they at least already support this. (I realize that there are ways to fake the latter, but we want something > that doesn't need a DNS expert to set up.) > > ICANN has two public AXFR servers at xfr.cjr.dns.icann.org and xfr.lax. > dns.icann.org. How about asking them what their experience has been, > how's the load, how hard is it to manage, how have they dealt with the > sorts of attacks that people make on public servers. > Wes and I have already had this chat with IANA (in the form of Kim); I'll let him chime in here. W > R's, > John > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
