Local Slave copy of root zone

Tony Finch dot at dotat.at
Wed Aug 15 17:43:06 UTC 2018

Doug Barton <dougb at dougbarton.us> wrote:
> Slaving the root and ARPA zones is a small benefit to performance for a busy
> resolver, [...]

> This technique is particularly useful for folks in bad/expensive network
> conditions. While the current anycast networks of root servers is much better
> than it was "in the old days," the more data you have locally the more
> resilient you are to DDOS against those targets.

I should probably have said that it isn't just RFC 8198:

* synth-from-dnssec (RFC 8198) synthesizes negative answers, so in most
  cases you don't need to talk to the authorities to find out that the
  answer is no; this is on by default

* prefetch (https://tools.ietf.org/html/draft-wkumari-dnsop-hammer [1])
  means your users won't suffer the latency of talking to the authorities
  when a popular name expires from the cache; this is on by default

* stale-answer-enable / max-stale-ttl (https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale)
  means you can still function for a while if you can't reach the authorities

These are all general-purpose features, not at all specific to the root.

I think a local root was clearly a good idea before DNSSEC; since 2010 I
have been less comfortable with it.

[1] contains possibly my favourite ack ever

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Sole, Lundy, Fastnet: Southwest veering west, 4 or 5, increasing 6 for a time.
Moderate or rough, occasionally slight later. Rain then showers. Moderate or
poor, becoming good.

More information about the bind-users mailing list