On Sat, 23 Nov 2002, vinton g. cerf wrote:
joe, this makes no sense to me - the cacheing mechanisms are essentially
doing what you suggest. That's one of the reasons the system is resilient.
I agree and beutifully so. I take my hat off to the crew which put the
dns together in the first place. A good example is discussed from time to
time on the GA(_at_)dnso(_dot_)org mailing lists. As you may know ICANN has
to update some cctld records - but those cctlds continue to resolve. SO
yes I agree it is very resilient.
But you need to invalidate the cache to deal with changes to the binding
of domain name and IP address. Simply mirroring everything doesn't improve
things, in my estimation. In fact, trying to mirror everything everywhere
has a massive update problem. Cacheing spreads the update process over time.
But does it matter. We both agree it's a resilient system. Eventually
the updates are done. I don't see an issue here. Like I said before the
USG root file has carried incorrect information on cctlds and the system
The USG doesn't actually run the root server (although some of the root
servers are in fact housed at USG supported laboratories). The Dept of
Commerce in effect delegates the actual operation to the root server
Well who owns this monopoly. Whoever has control of the roots has control
of the 70% USG monopoly.
The issue is less the size of the file than the problem of updating many
copies of it reliably. The root server operators find it a challenge to
assure that even the modestly sized root zone file is correctly distributed
to all root servers accurately and in a timely fashion.
well .. maybe the root committee or the security committee could
investigate sponsoring root servers systems worldwide and work on solving
the update issue and the ietf i'm sure can help. After all the icann
through GAC is an international organization - or at least wants to be.
Your mission should be to reduce international dependence on a US centric
I feel the single root approach that stuart lynn advcated and established
as icann policy is a bit lame for todays high speed web servers.
Of course I always appreciate your views on this.
At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote:
To survive a sustained DDOS attack against the roots, the best solution
an ISP has is to run its own system and eliminate any dependence on the US
government for basic internet services. It would also be prudent for other
primary namespaces like .com. Unfortunately, though, it would require a
considerable amount of resources -- the .com zone file alone is well over
a gigabyte in size. But the root file is very manageable and can easily
be run on an ISP's local domain name servers.
SVP Architecture & Technology
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax