joe, this makes no sense to me - the cacheing mechanisms are essentially doing what you suggest. That's one of the reasons the system is resilient. But you need to invalidate the cache to deal with changes to the binding of domain name and IP address. Simply mirroring everything doesn't improve things, in my estimation. In fact, trying to mirror everything everywhere has a massive update problem. Cacheing spreads the update process over time. The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: >To survive a sustained DDOS attack against the roots, the best solution >an ISP has is to run its own system and eliminate any dependence on the US >government for basic internet services. It would also be prudent for other >primary namespaces like .com. Unfortunately, though, it would require a >considerable amount of resources -- the .com zone file alone is well over >a gigabyte in size. But the root file is very manageable and can easily >be run on an ISP's local domain name servers. Vint Cerf SVP Architecture & Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax