On Tue, Oct 29, 2019 at 8:30 PM Jim Reid <[email protected]> wrote: > > On 30 Oct 2019, at 01:32, Eric Rescorla <[email protected]> wrote: > > > >> Yes, it's hard, but I think it's worthwhile, because the prospect of getting the root to offer ADoT seems very distant to me. > >> > > Why? Do we have estimates of the load level here as compared to (say) Quad9 or 1.1.1.1? > > The root server operators publish statistics on the traffic they get. Links for some of their data can be found at https://root-servers.org. > > The anycast cluster for a.root-servers.net alone currently handles upwards of 8B queries/day - roughly 100,000 queries/second. That’s steady state. The numbers would go *far* higher than that during a Mirai-style DDoS attack. > > It’s going to be a challenge to get authoritative servers handling those sorts of query levels to support DoT (over TCP?). FWIW solving the non-trivial operational and engineering issues will be the easy bit. Solving the layer-9 issues will be harder. I expect that also holds for DoT support at authoritative servers for important TLDs or the DNS hosting platforms from the likes of Akamai, Dyn, UltraDNS, etc that handle very high query rates. > > I suppose someone could ask RS SAC* for their opinion on deploying DoT at the root. And having lit the blue touchpaper, I will now run away at great speed to watch the ensuing firework display. :-)
The root zone is data: whether one distributes it via DoT, DoH, IPv6, or carrier pigeon is irrelevant to the policies that goven what's in it. And furthermore none of the network engineering issues raised against DoH apply to recursive to authoritative. We absolutely can engineer reliable anycast clusters to handle 100,000 queries a second. That's only 100 cores if each core can do 1000 queries a second. Akamai handles a substantially greater volume of considerably more expensive HTTPS traffic: the DNS queries are part of the HTTPS. Encryption at the root is very possible. > > * Other ICANN advisory committees are available. > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy -- "Man is born free, but everywhere he is in chains". --Rousseau.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
