DNS ROOT understanding
jim at rfc1035.com
Fri Nov 19 10:09:44 UTC 2004
>>>>> "Dave" == SilentRage <bind-users at dollardns.net> writes:
Dave> Once you have a root server setup, you no longer have to
Dave> rely on querying and caching responses from the root
Dave> servers. As an ISP's resolver, this could improve the
Dave> performance of your dns server, albeit, maybe only slightly.
Dave> There has been one occurance of a DDoS attack against the
Dave> root servers that was so massive, it actually slowed many of
Dave> them down. If you ran your own root server, you and your
Dave> clients would be unaffected by any problems they experience.
This is just silly. You're completely misguided. There is no good
reason for anyone to run their own local root server. Just because the
root zone file is available for FTP doesn't mean everyone should have
a copy in their local name servers. There are other important zones
available for FTP from ftp.rs.internic.net too and some TLDs are open
for zone transfer. That doesn't make it sensible to take copies of
them and load them into local name servers either.
A well behaved DNS setup will only query the root a few times a
week. Optimising for the responses to those queries is pointless and
unnecessary. Why focus on that handful of queries -- maybe one a day
-- when your name server is getting perhaps many thousands of queries
per day? Bear in mind too that shaving a few milliseconds off a
referral from the root doesn't make a noticeable difference to clients
on the time needed to resolve the MX records for dollardns.net
(say). For your entertainment I just timed that:
% dig dollardns.net mx +trace
;; Received 488 bytes from 184.108.40.206#53(K.ROOT-SERVERS.NET) in 47 ms
;; Received 133 bytes from 220.127.116.11#53(A.GTLD-SERVERS.net) in 124 ms
;; Received 205 bytes from 18.104.22.168#53(ns1.dollardns.net) in 184 ms
If I had a local root, that first referral would have taken around 10
ms instead of 47 ms. That would have brought the overall time of
resolving down from 355 ms to around 320 ms, saving a whole four
hundredths of a second. Assuming of course that my name server hadn't
already resolved a .net name and cached the info about the name
servers for the .net TLD. Which it more than likely had. Note too that
over half of the time spent resolving this query was waiting for a
response from your name servers. So if anything in this lookup needed
to be optimised, it would be that part of the resolution of your
zone's MX records.
Next, this local copy of the root zone file has to be kept up to date
because TLD servers change. Sometimes TLDs get added or removed too. This
creates an unnecessary maintenance overhead and needlessly complicates
the task of local name server administration. Why keep track of those
changes when there's no need to do that? Your name servers are
perfectly capable of querying the root servers who already do the job
of publishing the root zone and providing an excellent service.
Thirdly, DDoS attacks against the root servers are nasty and go on all
the time. So far they have not compromised the effectiveness of the
root server system as a whole, thanks to the way it is run: defence in
depth, redundancy, diversity, etc, etc. And even when the root servers
are under DDoS attack -- pretty much steady state for them -- local
clients and name servers are not going to know about that. As I said
already several times now, a well behaved DNS setup will only need to
query a root server perhaps once a day.
Rather than expend effort on this pointless make-work exercise, DNS
administrators should concentrate on the real problems affecting local
DNS lookups. These include fixing misconfigured resolvers, replacing
broken DNS software, running up to date name servers, eliminating
lookups for bogus TLDs, stopping reverse lookups for RFC1918 addresses
leaking out to the internet, eliminating forwarding setups, etc, etc.
Dave> In my opinion, the world is a friendlier place with only one set
Dave> of root servers and a single ruling body (ICANN) determining
Dave> what is placed there.
Dave> But this does not mean I don't have respect for the idea of
Dave> alternative roots and running your own root server.
There is a massive contradiction here. Or are you being ironic?
More information about the bind-users