On 2018-08-15 10:43, Tony Finch wrote:
Doug Barton <do...@dougbarton.us> wrote:
Slaving the root and ARPA zones is a small benefit to performance for
a busy
resolver, [...]
This technique is particularly useful for folks in bad/expensive
network
conditions. While the current anycast networks of root servers is much
better
than it was "in the old days," the more data you have locally the more
resilient you are to DDOS against those targets.
I should probably have said that it isn't just RFC 8198:
* synth-from-dnssec (RFC 8198) synthesizes negative answers, so in most
cases you don't need to talk to the authorities to find out that the
answer is no; this is on by default
If you're slaving the zone on the resolver, that resolver is
authoritative for the zone, so it doesn't need to query another server
to prove that the answer is no.
* prefetch (https://tools.ietf.org/html/draft-wkumari-dnsop-hammer [1])
means your users won't suffer the latency of talking to the
authorities
when a popular name expires from the cache; this is on by default
If you're slaving the zone, there is no cache to expire.
* stale-answer-enable / max-stale-ttl
(https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale)
means you can still function for a while if you can't reach the
authorities
This is a terrible idea, so not having it is a good thing. :)
These are all general-purpose features, not at all specific to the
root.
I think a local root was clearly a good idea before DNSSEC; since 2010
I
have been less comfortable with it.
How, specifically, is DNSSEC affected by the validating resolver having
a local copy of the root zone?
Doug
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
