[FTR, I like LocalRoot and read all 4 drafts.] On 2026-02-04 10:08 -06, Warren Kumari <[email protected]> wrote: > On Fri, Jan 30, 2026 at 9:48 PM, Philip Homburg <[email protected]> > wrote: [...] >> If you take that number and multiply it by the 1.4 MB that an AXFR of the >> root currently takes then you'll get a pretty big number. >> > > > I worked out some numbers on this a while backā¦ > > If one assumes 1,000,000 recursive resolvers all doing LocalRoot, doing 3 > updates per day over HTTPS, the total traffic is ~7TB per day, or ~222TB > per month. > If the web server did gzip compression, this drops to 3TB per day or 80TB > per month. >
This assumes well-behaved resolvers. Since we are wildly speculating, let's look at what resolvers are up to and extrapolate from there. According to https://rssac002.root-servers.org/rcode_0_v_3.html, the RSS send 55.568.600.764 NOERROR responses on 2026-01-25. That's 643.155 NOERROR responses per second. These are things that are supposed to be cached for a day (DS, RRSIG) or two (NS). So, ~ 600.000 times a second something on earth expired from a cache for the root (which is not true, resolvers are not well behaved, we know that). What would happen if that triggers an AXFR? 600000 * 1.6 [AXFR size in MB] * 8 [bits] / 1024[Gbit] / 1024 [Tbit] 7.33 Tbit/s. Uh oh... Of course that math is BS. But by how much? 10x..: 700 Gbit/s 100x.: 70 Gbit/s 1000x: 7Gbit/s k.root-servers.net currently does about 700 mbit/s outgoing traffic. So my math needs to be BS by 3 orders of magnitude for the RSS / Internet to break even. What would happen if a popular DNS forwarder on CPEs decides to implement these drafts? What would happen if a popular mobile OS decides to roll out client side DNSSEC validation and decides to take a standard open source resolver that has these drafts implemented and defaults to "ON"? Obviously you need to drop your cache on every network reconnect... Yes, yes, this is all not super likely nor realistic, I guess what I'm trying to say is: We just don't know what would happen if suddenly all resolvers switched their default to "on" and some get their caching wrong. > These numbers are, as suggested, tiny in the scale of a CDN - as an Another random thought, in this day and age of "AI" scrapers annoying the hell out of everyone, it is not intuitively obvious to me that a DNS server (i.e. a bot) will be able to talk to a CDN without being prompted to solve a captcha or do some anubis style proof of work... -- In my defence, I have been left unsupervised. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
