Potential Problems - ISP building 'root mirrors'

Mark Andrews Mark_Andrews at isc.org
Mon Jun 27 23:50:10 UTC 2005 

> On Mon, 27 Jun 2005, Steve Mueller wrote:
> 
> > I've been tasked with looking into the root mirrors my predecessor put
> > place. I think this is a really bad idea, but some pointy haired person
> > wrote up an executive report that said the root servers are a DoS attack
> > away from bringing our network to a halt.
> >
> > Like I said, I don't really agree with this whole idea, but I'm going to
> > stay as openminded about it as possible until I see some data/facts.
> >
> > Anyone got some references on this? Links, Presentations, general
> > awareness regarding this topic.
> >
> > I've seen (and saved) discussions on this I found in posts of Usenet
> > past. Good info there.
> >
> > If we're going to keep doing this, I want to insure it is done right.
> > If we shouldn't be doing this at all, I need to backup my thoughts with
> > some cold hard facts.
> >
> 
> Well in the days when there were only 13 (or less) root servers and most
> of them were in the US then maybe a sustained dos attack was a real
> threat, however these days K alone has more than 14 instances distributed
> all over the world, and most of the other operators are using anycast to
> distribute the load and the redundancy to many locations, I think the risk
> is much much less than it used to be. Its difficult however to counter the
> atcual arguements for mirroring root servers unless we can see what they
> are. One thing to bear in mind though is that if the root servers did
> disapear for a sustained period then you may be able to still resolve
> other people but they wouldn't be able to resolve you back :)
> 
> --
> Brett Carr                              Ripe Network Coordination Centre
> System Engineer -- Operations Group     Singel 258 Amsterdam NL
> http://www.ripe.net
> GPG Key fingerprint = F20D B2A7 C91D E370 44CF  F244 B6A1 EF48 E743 F7D8

	Mirroring the root can do more than provide some DoS protection.
	It will also changes the load pattern on the real roots.  Rather
	than receiving loads of garbage queries (basically the ones the
	roots return NXDOMAIN too) they will go to handling refresh (SOA)
	queries and zone transfers.

	The real question is whether the shift in usage pattern better or
	worse for the roots.  As far as I am aware this has not yet been
	measured.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list