> On Sep 2, 2015, at 3:08 PM, Paul Vixie <p...@redbarn.org> wrote: > > > > Stephane Bortzmeyer wrote: >> On Wed, Sep 02, 2015 at 08:28:10AM +1000, >> Mark Andrews <ma...@isc.org> wrote: >> >>> ... >>> >>> 1. Recommend *every* recursive server holds a copy of the root zone. >> >> The problem is more general than that. It is not only the root (well, >> the sniffers along the path to the root name servers), it is a >> recursive-to-authoritative problem. Your solution does not work for >> .com or even .fr. > > right. however, if tcp-fastopen and tls are used for the > server-to-server traffic (cache misses), the ~30M recursives could each > have a permanently nailed-up TCP session to the ~10M authoritatives. i > don't love the resulting state load, but it would secure the top of the > flow.
I assume your ~30M number comes from open resolver scans and while you can find that many addresses that will openly forward queries, they don't all talk directly to authoritative servers. In fact, those ~30M forward through to about ~300K that then talk to the auths. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
