Local Slave copy of root zone
Tony Finch
dot at dotat.at
Wed Aug 15 17:43:06 UTC 2018
Doug Barton <dougb at dougbarton.us> wrote:
>
> Slaving the root and ARPA zones is a small benefit to performance for a busy
> resolver, [...]
> This technique is particularly useful for folks in bad/expensive network
> conditions. While the current anycast networks of root servers is much better
> than it was "in the old days," the more data you have locally the more
> resilient you are to DDOS against those targets.
I should probably have said that it isn't just RFC 8198:
* synth-from-dnssec (RFC 8198) synthesizes negative answers, so in most
cases you don't need to talk to the authorities to find out that the
answer is no; this is on by default
* prefetch (https://tools.ietf.org/html/draft-wkumari-dnsop-hammer [1])
means your users won't suffer the latency of talking to the authorities
when a popular name expires from the cache; this is on by default
* stale-answer-enable / max-stale-ttl (https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale)
means you can still function for a while if you can't reach the authorities
These are all general-purpose features, not at all specific to the root.
I think a local root was clearly a good idea before DNSSEC; since 2010 I
have been less comfortable with it.
[1] contains possibly my favourite ack ever
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Sole, Lundy, Fastnet: Southwest veering west, 4 or 5, increasing 6 for a time.
Moderate or rough, occasionally slight later. Rain then showers. Moderate or
poor, becoming good.
More information about the bind-users
mailing list