Hi all. I fully agree with Andrew that the cause is far worse than the disease.
I don't think the disease is life threatening. I keep hearing about the "Problem" of bogus queries to the root. It is certainly messy and ugly but from my perspective as an operator it is more of irritant than anything else. The capacity building for root operators, at least in our case, is not built around those bogus queries, it's build around other problems such as the number of hosts with weak security that are available for use in DDOS attacks. In % terms the 90%+ of bogus queries is irritating, moving those queries out to the ISPs doesn't stop them, just shares the pain a little and probably hides the problem somewhat. For now I still believe the best answer is to keep answering with NXDOMAIN and hoping that one day, this is where I am delusional, that those do the querying will fix their end of the problem... John Crain On 04/04/2008 08:19, "Andrew Sullivan" <[EMAIL PROTECTED]> wrote: On Fri, Apr 04, 2008 at 07:37:31AM -0700, David Conrad wrote: > >> leakage to the root servers is enormous. > > This sounds to me like a cure that is quite possibly worse than the > > disease. > > In what way? It rather depends on how much the root zone changes. The targets of "run your own root copy" are the people who don't know how to capture and appropriately isolate (or don't care to do it) their bogus traffic. The proposed solution is to tell them to get a copy of the root zone and run that. What makes us think that they'll keep that copy up to date, do sensible things with it, &c? I am familiar with one largeish zone that had its infrastructure on the wrong end of an expensive link between it and the largest ISP in the country. Their answer to this was to transfer the zone to the ISP. Unfortunately, nobody at the ISP was monitoring the log files, and someone failed to keep the TSIG keys in sync, so their copy of the zone gradually came to be wrong. Since none of this copying-of-zone-around was documented anywhere, it took some time to debug the problem, during which time large sections of that domain were unavailable to a substantial population in the country in question. I can just imagine the hue and cry that would happen when new top level domains "don't work for everybody". A -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
