On Sun, Jan 31, 2010 at 08:11:43PM -0500, Robert Edmonds wrote: > i think you are mistaken. in practice, unbound (or bind or any other > reasonably compliant full service DNS resolver / cache) only sends > occasional queries to the root; running unbound in normal recursive full > service mode doesn't "hammer" the roots. delegations and glue from the > root zone have quite long TTLs (2 days).
Hi Robert, I would like to add my 2 centes to agree with Martin here. In a DNSSEC world, all computers must have local resolvers in order to do DNSSEC validation. As DNSSEC deployment increases and applications begin to depend on validated DNS responses, I believe that someday operating systems will have to ship with a default configuration that provides a local resolver. I believe we should prepare for this situation now. The large masses of end user systems (I am talking about millions of computers connecting to the Internet) most certainly *WILL* essentially be hammering the root and TLD nameservers. Each one of them has to fetch NS (and DS and DNSKEY and RRSIG) records for every label in the tree once per TTL interval. That's dozens of queries per day *per* *computer*. Plus additional queries whenever these machines get rebooted and whatnot. If using upstream resolvers, the huge majority of those queries would get answered from the ISP nameservers' caches. Of course some administrators will prefer to not trust their ISP's resolvers or will require split-horizon DNS, or local domains or whatever. These people can override the default and make their resolvers use the root hints directly. They are a small minority and don't matter. > the only way you could see unbound "hammering" the roots would be if > your clients looked up a large number of domain names under nonexistent > TLDs. because query rcode 3 (name error / NXDOMAIN) only specifies the (But that won't happen if unbound is doing the recursion itself because it will follow the delegation chain, and if unbound is forwarding instead of doing the recursion itself then you will only hammer the upstream servers which is... well... more scalable than hammering the roots. So this point is not relevant.) -Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
