* Robert Edmonds: > The entire DNS root zone is only 1 MB compressed and is updated about > once a day. It would be even better for privacy if the whole root zone > were distributed via HTTPS, as the initiator would not reveal to the > server any information about what TLD is being looked up. > > There are currently ~1500 TLDs in the root zone. Dividing 1 MB by the > number of TLDs, this is ~700 bytes per TLD, which is roughly the amount > of bandwidth required by a query/response pair of UDP DNS packets to > obtain the delegation for a TLD.
Or you can turn on query minimization and NSEC-based NXDOMAIN synthesis, at which point there is hardly any privacy leak left. The challenge with the root zone is that anyone can become a de-facto root server operator for their own part of the Internet (at least with physical control over machines), by inviting some of the established operators to host an anycast node on their network. It's very difficult to guarantee privacy in such a widely distributed system.
