I think there are three confluences which tend to support the notion of national root nameservers: 1) Root Server scalability 2) Foriegn distrust of US control on the internet 3) Isolation due to technical or political issues. On Fri, 5 Dec 2003, Iljitsch van Beijnum wrote: > On 5-dec-03, at 17:16, Dean Anderson wrote: > > > Indeed, this is what they do when the agree to put the "national" root > > nameservers in their own nameserver root configs. It is far easier to > > have per-country stealth root slaves than it is to make every > > nameserver > > the stealth slave of every other domain in that country. > > I don't think this stealth business is a very good idea. If you want a > root servers somewhere, use anycast. That means importing BGP problems > into the DNS, which is iffy enough as it is. That seems to argue against anycast... > But for a small network island just having a single set of resolvers and > make sure those have all the needed information isn't a huge deal. > Obviously such a place doesn't have a huge number of ISPs so the number > of DNS servers will be quite limited in the first place. Its the same "deal" as distributing the "official" root nameserver updates. Some people don't pay attention to this until they can't get nameservice to work. Its a problem, but it isn't made better or worse. > > Yet a stealth root is comparably easy: You just tell your nameserver > > operators to configure in the IP addresses for your national root > > servers, instead of the "official" root servers. > > So I have to trust these fake roots a 100%: not only that they don't > change the root zone, but also that they're always up to date and never > down. Tall order. An official anycast setup is much better: updates are > done the way they should be (last year when I wrote an article I > checked this: there is no policy anywhere on access to the root > zonefile. You can download it through FTP or even do a zone transfer in > a few places, but nothing official) and when your local root clone is > down there should be at least 12 others elsewhere. They aren't exactly fake. They are just not listed by the "dig . ns" query, so they aren't technically authoritative. Though, I suppose they could be--I'm just assuming they aren't. As far as trust goes, since they are run by your government, yes, you can trust them. Since these zones don't change much, they can be updated by zone transfers, or by other official distribution. As far as reliability goes, that's why you have more than one. And you scale it just like any other part of infrastructure. Anycast doesn't make this job easier--it makes it harder. An Anycast server can't easily do a zone transfer from itself. This is just another complication of running anycast. Anycast is just a means of scaling up server infrastructure. There are other methods of scaling. Anycast doesn't particularly match the political interests. I also don't conceive of a single national stealth server. I assume that they may be many. Probably at least 2, and certainly more depending on the size of the country. The US would probably have a lot. > > Indeed, it is probably sensible for ISPs to do the same. This would > > keep things working internally in the event of an effective isolation > > due to a DOS attack, for example. > > I think what we need to really solve this is a redesign of the DNS, as > the way it is now it breaks a fundamental design principle of the > internet: when two nodes have reachability, they should be able to > communicate, regardless of what else is (un)reachable. (I'm not > volunteering, though.) I agree completely, but I don't think anything needs to change other than management of existing services. The internet has to continue to work when it is partitioned, regardless of the reasons for the partitioning. Those reasons could be technical, or political. And the internet should then just work when its glued back together again. But address and DNS delegations are hierarchical, so there is not reason that this can't be done. > I've been in a situation where root servers where unavailable for the > better part of a day, and it's pretty frustrating to see your resolver > cache disappear over tiem so you can no longer reach places to which > you still have connectivity. This is fixed by stealth slaves at large ISPs. Small ISPs, if isolated probably don't have enough customers to really care about getting to the other customers. But this might not be true for large ISPs, and might not be true of islands and small countries. A small island in the Pacific might have several ISPs but only one underwater cable. If the cable is cut, they could be isolated for a while. But there is no reason they shouldn't be able to get to other sites that are on the island.