Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

Philip Homburg <> Tue, 31 July 2018 14:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E1A2130F8A for <>; Tue, 31 Jul 2018 07:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ljFc2P3AZrOl for <>; Tue, 31 Jul 2018 07:38:39 -0700 (PDT)
Received: from ( [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B46C4130F7F for <>; Tue, 31 Jul 2018 07:38:38 -0700 (PDT)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fkVnH-0000H0C; Tue, 31 Jul 2018 16:38:35 +0200
Message-Id: <>
Cc: Joe Abley <>
From: Philip Homburg <>
References: <> <> <> <>
In-reply-to: Your message of "Tue, 31 Jul 2018 09:38:11 -0400 ." <>
Date: Tue, 31 Jul 2018 16:38:34 +0200
Archived-At: <>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jul 2018 14:38:44 -0000

> Are you suggesting that web servers can't be massively scaleable
> ?
> I'm not sure I understand your examples.

Yes, you can build massively scaleable web servers, but at what price?

What if some popular IoT device starts to fetch the root zone. And at a
high rate?

> You cite overprovisionoing in the root server system as a reason
> not to try and supplement it, but I think it makes sense to look
> at it the other way round -- if there were ways to distribute th
> e
> root zone reliably and accurately without presenting the attack
> targets that the root server system does, the need for continued
> investment in the infrastructure could be reduced (or the effect
> ive
> benefit to end-users from that investment could be increased).

What if your web servers are not massively overprovisioned? Can we handle
failures there. If you do massively overprovision those web servers, will it
actually be cheaper or better than the current system?

> The bandwidth available at the consumer edge, where a lot of the
> attack sources now live, continues to grow far faster than the
> bandwidth that can be provisioned at the root server edge. The
> observation that "there's enough bandwidth that we're safe" does
> n't
> seem future-proof (it doesn't even seem present-proof, really).

>From a ddos point of view there doesn't seem to be big difference between
how the current DNS root absorbs traffic and what a highly available web
service would have to do.