On 5 Dec 2003, Paul Vixie wrote: > my experience differs. when a root name server is present it has to be > fully fleshed out, because if it isn't working properly or it falls over > due to a ddos or if it's advertising a route but not answering queries, > then any other problem will be magnified a hundredfold. It depends on the "problem profile" you working to avoid. > doing root name service in a half-baked way is much worse than not doing > it at all, since over time the costs of transit to a good server will be > less than the costs of error handling and cleanup from having a bad one. This could be true, but irrelevant. It depends on the costs of transit and cleanup. Transit to a remote island could be very expensive, while labor to cleanup any problems might be very cheap. > moreover, your statement "only the packet(s) of that country will reach the > local root server" is presumptive. Not necessarilly. If the country operates a root server that is only accessible from that country, that is, only in the preloaded in the caches of that countries' nameservers, then the 'presumption' is true. The list of root nameservers is determined by the lists that are pre-loaded into other nameservers, not by the 'dig . ns' query on a real root. You could have hundreds of root slaves, but only a small number of truly global root servers without any problems at all. This would probably be a good thing for the global servers. > under error conditions where transit is leaked, such a server could end > up receiving global-scope query loads. in our current > belt-and-suspenders model, we (f-root) closely monitor our peer routing, > AND we are massively overprovisioned for "expected" loads, since a ddos > or a transit-leak can give us dramatically "unexpected" loads. This is a feature that is specific to your anycast setup. Simpler, non-anycast setups wouldn't have this problem. > if you know someone who is willing to provision a "root" name server without > a similar belt and similar suspenders, then please tell them to stop. Are all the roots doing anycast? I've run private roots without any problems, and have experienced significant improvements for doing so. (see below) > on a connectivity island (which might be in the ocean or it might just be > a campus or dwelling), the way to ensure that local service is not disrupted > by connectivity breaks is to make your on-island recursive name servers > stealth slaves of your locally-interesting zones. in new zealand for > example it was the custom for many years to use a forwarding hierarchy > where the nodes near the "top" were stealth slaves of .NZ, .CO.NZ, etc. > that way if they lost a pacific cable system they could still reach the > parts of the internet which were on the new zealand side of the break. This assumes that you are mixing authoritative and caching nameservers. Something that many people (including you) advise against. Operating a root nameserver is much easier. Obviously, in the case of an island or small country that has only one connection, or perhaps one network center, a DDOS that affects the local root is going to affect all connectivity. Their only option may be to drop connectivity. Actual war could have the same impact, due to broken communications line. A local root in each country is probably a good idea. I've also found that when setting up non-connected laboratory networks, it is better to have a 'lab root' server, that acts like a root, since machines in the lab can't access real root servers. This greatly enhances performance in the case where a wrong, or just non-lab domainname is typed in, since you can get an nxdomain back right away instead of waiting for a timeout as the root servers at tried.