IETF Logo Mail Archive

[DNSOP] Re: root zone transfers and CDNs

Florian Obser <florian+ietf@narrans.de> Sun, 15 February 2026 18:14 UTC

Return-Path: <florian+ietf@narrans.de>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5B3EEB7FD4A1 for <dnsop@mail2.ietf.org>; Sun, 15 Feb 2026 10:14:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CebMSanDpXMl for <dnsop@mail2.ietf.org>; Sun, 15 Feb 2026 10:14:38 -0800 (PST)
Received: from imap.narrans.de (michelangelo.narrans.de [IPv6:2001:19f0:6c01:821:5400:1ff:fe33:a36d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D8725B7FD498 for <dnsop@ietf.org>; Sun, 15 Feb 2026 10:14:37 -0800 (PST)
Received: by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id 1d3335f6 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 15 Feb 2026 19:14:28 +0100 (CET)
From: Florian Obser <florian+ietf@narrans.de>
To: Warren Kumari <warren@kumari.net>
In-Reply-To: <CAHw9_iK=0v=EY-cmzJae6MOA4U62JnU7d_uEO+kkd7UaSumM2w@mail.gmail.com> (Warren Kumari's message of "Wed, 4 Feb 2026 10:08:22 -0600")
References: <ybla4y6lwjf.fsf@wx.hardakers.net> <CAKr6gn0yUL1X87+BavA569LGMaWe2VY4a6-iqTAmzwdrZVPx_g@mail.gmail.com> <ybla4y6ia6t.fsf@wx.hardakers.net> <CAKr6gn1L=hHOj2he0Rs_38B5n3pnNZw3xFMx36QLcjthJfUosQ@mail.gmail.com> <yblwm1agppa.fsf@wx.hardakers.net> <25556.1769124242@obiwan.sandelman.ca> <DS0PR15MB567499ECC061876A8A244F35B394A@DS0PR15MB5674.namprd15.prod.outlook.com> <ybl8qdng7r4.fsf@wx.hardakers.net> <20260124030638.D7CFBF2E6F2E@ary.qy> <ybly0lneka7.fsf@wx.hardakers.net> <CAKr6gn2nV+B0mjdCixKG+2UpdmtHFxp_1ZqzK5WFuK4Hxd9GGg@mail.gmail.com> <DS0PR15MB5674E9944F3090E1D48F62CFB393A@DS0PR15MB5674.namprd15.prod.outlook.com> <ybl1pjc8324.fsf@wx.hardakers.net> <DS0PR15MB5674B258DE6F9A2AC9EEF9D2B393A@DS0PR15MB5674.namprd15.prod.outlook.com> <yblfr7p7n5t.fsf@wx.hardakers.net> <m1vlp0d-0000NnC@stereo.hq.phicoh.net> <D2B519F5-D28F-4BF0-9413-B0EA5887C34B@rfc1035.com> <m1vlpnU-0000MsC@stereo.hq.phicoh.net> <CAHw9_iK=0v=EY-cmzJae6MOA4U62JnU7d_uEO+kkd7UaSumM2w@mail.gmail.com>
Date: Sun, 15 Feb 2026 19:14:27 +0100
Message-ID: <m1bjhpg9h8.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: AUSSUVPLZ74JBPEEOIQUMAPV5XKGN3RH
X-Message-ID-Hash: AUSSUVPLZ74JBPEEOIQUMAPV5XKGN3RH
X-MailFrom: florian+ietf@narrans.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-7@u-1.phicoh.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: root zone transfers and CDNs
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0rh4wa-rUr0FWLXPGVfv9fAyrXk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

[FTR, I like LocalRoot and read all 4 drafts.]

On 2026-02-04 10:08 -06, Warren Kumari <warren@kumari.net> wrote:
> On Fri, Jan 30, 2026 at 9:48 PM, Philip Homburg <pch-dnsop-7@u-1.phicoh.com>
> wrote:
[...]
>> If you take that number and multiply it by the 1.4 MB that an AXFR of the
>> root currently takes then you'll get a pretty big number.
>>
>
>
> I worked out some numbers on this a while back…
>
> If one assumes 1,000,000 recursive resolvers all doing LocalRoot, doing 3
> updates per day over HTTPS, the total traffic is ~7TB per day, or ~222TB
> per month.
> If the web server did gzip compression, this drops to 3TB per day or 80TB
> per month.
>

This assumes well-behaved resolvers.

Since we are wildly speculating, let's look at what resolvers are up to
and extrapolate from there.

According to https://rssac002.root-servers.org/rcode_0_v_3.html, the RSS
send 55.568.600.764 NOERROR responses on 2026-01-25. That's 643.155
NOERROR responses per second. These are things that are supposed to be
cached for a day (DS, RRSIG) or two (NS).

So, ~ 600.000 times a second something on earth expired from a cache for
the root (which is not true, resolvers are not well behaved, we know
that).

What would happen if that triggers an AXFR?

600000 * 1.6 [AXFR size in MB] * 8 [bits] / 1024[Gbit]  / 1024 [Tbit]

7.33 Tbit/s. Uh oh...

Of course that math is BS. But by how much?

10x..: 700 Gbit/s
100x.:  70 Gbit/s
1000x:   7Gbit/s

k.root-servers.net currently does about 700 mbit/s outgoing traffic.

So my math needs to be BS by 3 orders of magnitude for the RSS / Internet to
break even.

What would happen if a popular DNS forwarder on CPEs decides to
implement these drafts?

What would happen if a popular mobile OS decides to roll out client side
DNSSEC validation and decides to take a standard open source resolver
that has these drafts implemented and defaults to "ON"? Obviously you
need to drop your cache on every network reconnect...

Yes, yes, this is all not super likely nor realistic, I guess what I'm
trying to say is: We just don't know what would happen if suddenly all
resolvers switched their default to "on" and some get their caching
wrong.

> These numbers are, as suggested, tiny in the scale of a CDN - as an

Another random thought, in this day and age of "AI" scrapers annoying
the hell out of everyone, it is not intuitively obvious to me that a DNS
server (i.e. a bot) will be able to talk to a CDN without being prompted
to solve a captcha or do some anubis style proof of work...


-- 
In my defence, I have been left unsupervised.

v2.46.0 | Report a Bug | By Email | System Status