DNS issues various

From: "Greg Pendergrass" <greg@band-x.com>
Subject: RE: WP: Attack On Internet Called Largest Ever

Future attacks will be stronger and more
organized. So how do we protect the root servers from future attack?

As has been discussed here previously (see archive) it is
unclear that the root DNS servers are particularly vulnerable,
so further effort specifically defending them may be misplaced,
compared to efforts to address DDoS in general, or efforts to
fortify other parts of the Internet infrastructure.

From: "Joe Patterson" <jpatterson@asgardgroup.com>

would it cause problems, and more importantly would it solve potential
problems, to put some/most/all of the root servers (and maybe gtld-servers
too) into an AS112-like config?

Last time it was discussed I thought that the provisions already
in the DNS RFC's to allow zone transfer for "." to recursive
servers is a neat solution for the root zone.

It can be implemented with existing technology, no new
servers/routers needed.
Bypasses the 13 root server limit.
Reduces load on the current root servers.
Increases performance when unknown domains are queried.
Even if all addresses where the zone was available were public,
a persistent DDoS would merely deny the addition of new TLD's,
or readdressing of all DNS servers for a TLD, both occur rarely.

The gtld-servers, and servers for other key zones, maybe more
painful to do without, harder to replace, or less well
configured and/or protected than the root servers.

From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Subject: Re: Testing root server down code

Microsoft DNS has a poor response and can spin out of control with all root
servers available..

Unfair, Microsoft DNS has a good response and peak throughput
when it isn't spining out of control :wink:

From: "Martin J. Levy" <mahtin@mahtin.com>
Subject: Re: Testing root server down code

>2. Encourage greater software diversity for DNS sever systems. Currently most DNS servers are based on the BIND Berkeley Internet Name Domain code base. There is also a Microsoft Windows version of DNS that very few groups currently run.
>3. ...

Hence... At least in the US (and I can't say for the rest of the world), the government have been recommended to consider Microsoft's version of DNS.

Others might interpret that as not to run BIND, or Microsoft DNS

Surely that should be "code bases", plural, as BIND 9 is a new
code base?

So that is BIND 4, BIND 8, BIND 9, MS DNS, UltraDNS and DJBDNS
in fairly widespread use (and the one the root servers use if
they don't use BIND), or supporting critical domains, but we
still need more diversity?! I think promoting correct
configuration, and in-balliwick delegation, would be more

Now how do I set follow-ups to comp.protocols.tcp-ip.domains ?

There are pluses and minuses to that approach. The people at .biz and
.info are _still_ getting complaints from people sitting behind broken
resolvers with bogus copies of the root zone. Doing this in a widespread
manner is likely to lead to more problems of this sort for new TLD's, and
updates to existing ones.

Also, if you consider that <some high percentage> of root server queries
are for the same say, 10 TLD's, and that those records are cached for 2
days, it would most likely be a net increase in root server traffic to
have millions of resolvers slaving the zone.

Speaking only for myself, I think the combination of anycast and DNSSEC
has the best chance of success; both for the root and gTLD servers.