Date: 23 Nov 2002 06:16:46 -0000 Message-ID: <20021123061646.22603.qmail@cr.yp.to> Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: namedroppers@ops.ietf.org Subject: Re: DNS Server DoS Attacks References: <1507321518.1037986651@d58.wireless.hilander.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The DNS protocol should be augmented with a separate protocol for distributing (signed) copies of the root zone (in a sensible format) through USENET, mailing lists, etc. ISPs can and should run local root servers. I agree with the idea of caching root zone data for a very long time. The root-zone protocol should promise that every piece of data will last for a month. Effects on load: Everybody will receive the entire zone, rather than just the parts they need. On the other hand, any sensible format would be much smaller than DNS packet format. More importantly, the data will be cached much more effectively than it is with the current root-zone protocol. Most importantly, the load will be very widely distributed. Side benefit: It will be easy to expand to hundreds of .com servers. Of course, the root servers could pack more than 20 .com server addresses into a 512-byte UDP packet with the current protocol (if they drop the silly one-name-one-address notion), and nobody would complain if the root servers selected those addresses randomly from a much larger pool; but distributing the root zone lets ISPs pick nearby .com servers. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago