On Oct 29, 2014, at 10:27 PM, Runxia Wan <wanrun...@aliyun.com> wrote: > I am reviewing draft-wkumari-dnsop-root-loopback-00 and > draft-wkumari-dnsop-dist-root-01. I have some questions about some details of > the draft: > First, when a resolver falls back to legacy operation, I guess there should > be a retry interval for it to retry to work in the loopback operation (I mean > the operation the draft described). But the draft does not mention how to set > it. Is there any suggestion about the value of retry interval or is this > something we should test about?
No. We purposely made the root-server-on-the-loopback be just like a normal root server in your list, so there are no special settings for how often you should retry it. Your current software should be periodically performing round-robin probes of all the addresses anyway, and preferring the fastest ones, so if your loopback server goes down then later comes back up, it will be found soon, just as if a new anycast node appeared near you. > The other, as far as I concerned, every record in the zone file should be > validated by resolver using DNSSEC. Even any one of them cannot be validated; > the resolver should discard the zone file and try another server in the list. > If the entire list is tried, it should log an error and fall back to legacy > operation. May it lead the resolver to fall back to legacy operation often > since error are likely to happen such as any unsigned TLDs or validation > failure? I don't think I understand your question. Zones can be partially signed, and the root zone is no different. Other validation failures *should* cause fallback to legacy operation: it means that the copy of the zone that was received was bad in some ways. Having the server software say "I'm authoritative for these names in my zone, but not these others" would be very risky. > And, with the increase size of zone file in future, may this validation for > each TLD cause a degradation of QPS in resolver? This is an interesting question, but we are not concerned. We assumed that the recursive resolver was validating all answers it was giving anyway, but you seem to be asking about a situation where the validation was being done *only* for pulling the root. In our assumption, the number of additional validations is probably tiny relative to the normal level of queries at the recursive resolver is getting. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
