Philip Homburg <[email protected]> writes: > Most DNS queries do not just go to the root and stop there. Queries continue > TLDs, SLDs, etc.
Quick clarification: this was written entirely from the perspective of communicating with the RSS because it's a direct response to the discussion started at the last DNSOP meeting about LocalRoot / RootCache. I, thus, deliberately stayed away from opinions about the rest of the infrastructure (though if you're attending ICANN next week you may be interested in my presentation during the DNSSEC workshop that gets into both this document, and another presentation about issues relating to parent-centric (validated) resolution concerns). > For an on path attacker, does a local root provide much protection? Not > really, the attacker will see the query go to the TLD. Agree completely, but it was out of scope of this particular document. > When considering all upstream traffic of a resolver to answer a query, > is the improvement provided by a local root significant? Yes, I'd argue in many cases though. Because all the NXDOMAIN traffic to a root get answered locally without leaving the box (of which 2/3rds is the latest estimate of all root traffic). So queries for my_secret_something._udp won't traverse the internet at all. -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
