On 04. 02. 26 10:45, Willem Toorop wrote:
On 2/4/26 10:26, Libor Peltan wrote:
Hi,
As a DNS nerd, I also favor AXFR/IXFR for local root updates. However,
the public AXFR service needs to be provided by *different*
nameservers than normal root zone answering, because AXFR is easy to
DoS and often can suffer even with high load of legitimate traffic. So
we need to care that it doesn't disrupt the normal root DNS (even TCP)
answering.
And yes, the root zone signing process should be modernized to be able
to sign incrementally, in any case. But that's not critical.
As an alternative, I have also thought that as root zone is signed
with NSECs, the resolvers actually can fill their cache by simply
iterating the zone with normal queries :) But then I thought, that
simply enabling aggresive negative caching is more efficient.
Anyway, what are the main benefits of local root against negative caching?
One benefit of transfer is that ZONEMD can be verified and validated,
which provides DNSSEC grade protection for all the referrals (i.e. NS
RRsets and glue).
It would also provide DNSSEC protection for the root server addresses,
but that's immaterial because they would in theory not be used anymore,
and in addition, specifically Knot Resolver already has DNSSEC
protection for them by revalidating them in the priming process ;-)
I have a clarifying question about Knot Resolver: I read in the
documentation that the current implementation of RFC 8806 by Knot
Resolver is through "Cache prefilling" from a root zone file downloaded
over https (https://knot-resolver.readthedocs.io/en/stable/modules-
rfc7706.html and https://knot-resolver.readthedocs.io/en/stable/modules-
prefill.html#mod-prefill ). Does that mean that it could get evicted
from the cache if more space is needed?
Yes it does.
https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/daemon/zimport.c#L375
But see also
https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/utils/cache_gc/kr_cache_gc.c#L137
and
https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/utils/cache_gc/categories.c
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
