Libor Peltan <[email protected]> wrote: > And yes, the root zone signing process should be modernized to be able > to sign incrementally, in any case. But that's not critical.
What matters is that we don't design LocalRoot in a way that makes such a
change hard :-)
> As an alternative, I have also thought that as root zone is signed with
> NSECs, the resolvers actually can fill their cache by simply iterating
> the zone with normal queries :) But then I thought, that simply
> enabling aggresive negative caching is more efficient.
> Anyway, what are the main benefits of local root against negative
> caching?
a. When the root nameservers are under DDoS, you don't care.
b. if some significant (90%+) of the resolvers that matter are doing
LocalRoot, then root name server operators can more aggressively deal with
DDoS.
> I concur to the caution that transferring zone files over HTTP(S) looks
> weird and care must be taken not to fall to some circular dependency
> (HTTPS TLS certificate requiring working DNS?). But one argment for
> this is that it is already implemented and running.
The zone could even be broadcast via geo-satellite :-)
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
