Acting as stealth slave for root zone

David Carmean dlc at
Wed Dec 8 03:18:19 UTC 2004

In the last couple of weeks, I've read pretty much all of the reporting
(that I can find on the web) that CAIDA et. al. have done on the junk
queries sent to the root nameservers. [1][2]  I noted that bogus queries
to the roots for unknown TLDs are reported in the literature at between
12% and 20% of the total load.  dnstop output showed that my users and 
their software are generating some number of queries for bogus TLD.  I 
began to think about ways to become a better user of the root servers.

Eventually, I tried something that I fully expected not to work: I tried 
to pull a copy of the root zone by zone transfer from the root servers 
themselves.  It worked!  I'd expected the query to be refused.

So ... I set my test cache server up as a "stealth" slave for the root 
zone, and behold, no more bogus TLD queries to the roots.  

Is this new/temporary behavior?  The spirited discussion a few weeks ago 
engendered by the idea of grabbing the root zone by ftp would seem to 
indicate that zone transfers have not always been permitted.  Otherwise ... 
why wouldn't have others tried this before me?

I'm not done testing this idea yet; is there anything obvious that I'm missing? 
Is this a hole that's going to be closed back up?  I would think that encouraging 
this configuration could measurably reduce the load on the roots.



More information about the bind-users mailing list