Date: 23 Nov 2002 06:16:46 -0000
Message-ID: <20021123061646.22603.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: namedroppers@ops.ietf.org
Subject: Re: DNS Server DoS Attacks
References: <1507321518.1037986651@d58.wireless.hilander.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The DNS protocol should be augmented with a separate protocol for
distributing (signed) copies of the root zone (in a sensible format)
through USENET, mailing lists, etc. ISPs can and should run local root
servers.

I agree with the idea of caching root zone data for a very long time.
The root-zone protocol should promise that every piece of data will last
for a month.

Effects on load: Everybody will receive the entire zone, rather than
just the parts they need. On the other hand, any sensible format would
be much smaller than DNS packet format. More importantly, the data will
be cached much more effectively than it is with the current root-zone
protocol. Most importantly, the load will be very widely distributed.

Side benefit: It will be easy to expand to hundreds of .com servers. Of
course, the root servers could pack more than 20 .com server addresses
into a 512-byte UDP packet with the current protocol (if they drop the
silly one-name-one-address notion), and nobody would complain if the
root servers selected those addresses randomly from a much larger pool;
but distributing the root zone lets ISPs pick nearby .com servers.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago