On Fri, Jan 30, 2026 at 9:48 PM, Philip Homburg <[email protected]>
wrote:
> Unfortunately, the IETF only standardized full transfers of the root zone
>
> Where? Which RFC?
>
> In the hypothetical case that we would look at the current operation of
> the root create a standard based on that.
>
> I very much doubt any distribution network would notice transfers of the
> root zone even if they went looking for them. It'll be lost in the noise of
> serving up cat videos, smut, social media garbage, OS updates, etc.
>
> It's been a while, and I don't recall the exact numbers, but some time ago
> I looked at an estimate of how often a copy of the root would be needed if
> all recursors switch to local root. I used root priming queries for that.
>
> If you take that number and multiply it by the 1.4 MB that an AXFR of the
> root currently takes then you'll get a pretty big number.
>
I worked out some numbers on this a while back…
If one assumes 1,000,000 recursive resolvers all doing LocalRoot, doing 3
updates per day over HTTPS, the total traffic is ~7TB per day, or ~222TB
per month.
If the web server did gzip compression, this drops to 3TB per day or 80TB
per month.
These numbers are, as suggested, tiny in the scale of a CDN - as an
example, the IETF webpage is about the same size as the root zone (~1.7MB),
nytime.com is more than double (~5.5MB), and a Standard Definition (480p)
RickRoll video ("Never Gonna Give You Up" by Rick Astley) is ~30-50 MB...
I cannot find my exact numbers at the moment, but using one of the large
CDN / cloud providers public pricing it was in the hundreds of dollars per
month range.
Interestingly, the amount of data to be transferred various quite a bit
based on the transfer mechanism.
Raw file: 2.2MB (2,249,923 Bytes)
AXFR: 1.6 MB (1,602,476 Bytes, 2719 packets))
Individual queries[0]: 1.1MB (1,127,567 Bytes, 1537 packets)
HTTPS: 2,3MB (2,379,902 Bytes)
HTTPS with gzip compression: 0.9MB (990,949 Bytes)
The fact that the AXFR is that ~70% of the raw file was initially
surprising to me, but after a second of thought, it's because DNS name
compression works quite well in this case. HTTPS is larger because TLS,
headers, etc — but basically all web servers and libraries support gzip
compression, which brings the file down to 990KB.
"Individual queries" was calculated by configuring iptables to count
traffic to all of the root server IP addresses, clearing the cache on an
Unbound instance, querying a name in each TLD and then looking at the
stats. Because of background radiation and silly apps and such, most
resolvers have most TLDs in them, so that's a rough idea of the base case…
> That doesn't say we must do or do not do something. Just that in my
> opinion we shouldn't give too much weight to how the root is currently
> signed.
>
> If we think that CDNs for the root are essentially for free, then let's
> just write that down.
>
We believe that many CDNs will happily provide this for actual free (not
just essentially free…),
W
> _______________________________________________
> DNSOP mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
