> On 26 Feb 2026, at 2:47 am, Petr Špaček <[email protected]> wrote: > > On 15. 02. 26 19:33, Joe Abley wrote: >> On 4 Feb 2026, at 10:27, Libor Peltan <[email protected]> >> wrote: >>> As a DNS nerd, I also favor AXFR/IXFR for local root updates. >> Just curious, why? >> I understand that when you live and breathe DNS zone transfer as a concept >> looks and feels a certain way, but do you see technical advantages to using >> AXFR over (say) HTTPS? > Tremendous attack surface of HTTP and TLS ecosystem, plus extra dependencies > for HTTP library which was nonexistent before. > > When we write "HTTP" is actually 4 software stacks for, namely: > - HTTP/1 > - HTTP/2 > - TLS > - HTTP/3 / QUIC > > Each implemented as separate library with its own quirks. > > I've been personally dealing with DoH bugs since it's inception and the > amount of time DNS engineers spent on working about HTTP/TLS quirks is > astonishing, and new attacks are being looked for as we speak. > > One way to deal with this would be something like 'MUST support HTTP/3', but > I'm not sure if it is practical at this point. Doing 'MUST HTTP/2' would be > easier to achieve in practice but hey, isn't it weird to peg an old protocol? > > Anyway, I second Ben Schwarz's opinion that we really need self-contained DNS > solution. HTTP can be optional in case given DNS implementation has to deal > with HTTP because of other reasons. >
"we really need self-contained DNS solution" I beg to differ - the intention of this approach is not to replace querying the root servers, but to provide revcursive resolvers that perform such queries with the ability to perform an operation that loads the entire root zone into its local cache in a single transaction. If that fails for whatever reasons, then by all means the recursive resolver should (must) keep on using incremental querying to root servers, just as recursive resolvers do today. If this was a proposal to completely replace incremental queries with only full zone transfers then there are many issues, including the ones you refer to above. But it's not proposing any such replacement - its proposing to augment the mechanisms available to recursive resolvers. Augment, not replace. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
