IETF Logo Mail Archive

[DNSOP] Re: DNSOP4 documents for consideration about the future of LocalRoot behavior.

Libor Peltan <libor.peltan@nic.cz> Wed, 04 February 2026 09:26 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1CFC0B1A6A6E for <dnsop@mail2.ietf.org>; Wed, 4 Feb 2026 01:26:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fj7tK6Z3P9-j for <dnsop@mail2.ietf.org>; Wed, 4 Feb 2026 01:26:57 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A402CB1A6A61 for <dnsop@ietf.org>; Wed, 4 Feb 2026 01:26:57 -0800 (PST)
Received: from [IPV6:2001:1488:fffe:6:9f8b:4536:406c:7941] (unknown [IPv6:2001:1488:fffe:6:9f8b:4536:406c:7941]) by mail.nic.cz (Postfix) with ESMTPSA id C7BC11C0632; Wed, 4 Feb 2026 10:26:49 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.cz; s=default; t=1770197210; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=E4kpjNgHpR/eJ/ypYPfb8dbutszC62Bh8r9vQ4fyguM=; b=DT0bOXtPQMhlcG+JulD0MDGiCTkpKKgsfcplEkLcth3RUSBoVgE7bFkoEMoykkxTn2VSJV h/DtE4ioRm9FBnipKi/c9g+OcLrYrUzjZmqF2n2xJqLDOB67+rQq9epqsv/45AB4Kpw2yE ER7fYA0UDHolLIY1a89X6UT6K4fbkZM=
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
Content-Type: multipart/alternative; boundary="------------qF0kdhSbqg8Jas6eb9Z7d0iG"
Message-ID: <820330a1-120a-4bb7-8421-2976d955a348@nic.cz>
Date: Wed, 04 Feb 2026 10:26:49 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, George Michaelson <ggm@algebras.org>, dnsop WG <dnsop@ietf.org>
References: <ybla4y6lwjf.fsf@wx.hardakers.net> <CAKr6gn0yUL1X87+BavA569LGMaWe2VY4a6-iqTAmzwdrZVPx_g@mail.gmail.com> <ybla4y6ia6t.fsf@wx.hardakers.net> <CAKr6gn1L=hHOj2he0Rs_38B5n3pnNZw3xFMx36QLcjthJfUosQ@mail.gmail.com> <yblwm1agppa.fsf@wx.hardakers.net> <25556.1769124242@obiwan.sandelman.ca> <DS0PR15MB567499ECC061876A8A244F35B394A@DS0PR15MB5674.namprd15.prod.outlook.com> <ybl8qdng7r4.fsf@wx.hardakers.net> <20260124030638.D7CFBF2E6F2E@ary.qy> <ybly0lneka7.fsf@wx.hardakers.net> <CAKr6gn2nV+B0mjdCixKG+2UpdmtHFxp_1ZqzK5WFuK4Hxd9GGg@mail.gmail.com> <DS0PR15MB5674E9944F3090E1D48F62CFB393A@DS0PR15MB5674.namprd15.prod.outlook.com>
Content-Language: en-US
From: Libor Peltan <libor.peltan@nic.cz>
In-Reply-To: <DS0PR15MB5674E9944F3090E1D48F62CFB393A@DS0PR15MB5674.namprd15.prod.outlook.com>
X-Spamd-Result: default: False [-0.10 / 16.00]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]; REDIRECTOR_FALSE(0.00)[root-servers.net->urldefense.com:urldefense.com,isi.edu->urldefense.com:urldefense.com,icann.org->urldefense.com:urldefense.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[nic.cz:s=default]; WHITELISTED_IP(0.00)[2001:1488:fffe:6:9f8b:4536:406c:7941]
X-Rspamd-Action: no action
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: WHITELISTED_IP
X-Rspamd-Server: mail
X-Spamd-Bar: /
X-Rspamd-Queue-Id: C7BC11C0632
Message-ID-Hash: UOCBJM6SEETWSVPPDGFKAEKEOFDXBP2F
X-Message-ID-Hash: UOCBJM6SEETWSVPPDGFKAEKEOFDXBP2F
X-MailFrom: libor.peltan@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: DNSOP4 documents for consideration about the future of LocalRoot behavior.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pfD0EcTk3ot-RQmKvQKf6ba3PXM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi,

As a DNS nerd, I also favor AXFR/IXFR for local root updates. However, 
the public AXFR service needs to be provided by *different* nameservers 
than normal root zone answering, because AXFR is easy to DoS and often 
can suffer even with high load of legitimate traffic. So we need to care 
that it doesn't disrupt the normal root DNS (even TCP) answering.

And yes, the root zone signing process should be modernized to be able 
to sign incrementally, in any case. But that's not critical.

As an alternative, I have also thought that as root zone is signed with 
NSECs, the resolvers actually can fill their cache by simply iterating 
the zone with normal queries :) But then I thought, that simply enabling 
aggresive negative caching is more efficient.

Anyway, what are the main benefits of local root against negative caching?

I concur to the caution that transferring zone files over HTTP(S) looks 
weird and care must be taken not to fall to some circular dependency 
(HTTPS TLS certificate requiring working DNS?). But one argment for this 
is that it is already implemented and running.

Libor


On 26. 01. 26 17:57, Ben Schwartz wrote:
> Standardizing protocol elements for public distribution of zone files 
> over HTTP (e.g. defining content-types, providing guidance on cache 
> header usage) seems like a grand idea.  Let's make it easy to mirror 
> the root zone over HTTP, sure.
>
> Suggesting that LocalRoot resolvers use HTTP, on the other hand, seems 
> like a dangerous shortcut.  HTTP is enormously complicated, and 
> normally relies on DNS in many different ways. Incorporating it as a 
> formal dependency of DNS, even optionally, adds a lot of complexity, 
> probably including the need for a non-HTTP fallback path to break the 
> cyclic dependency.
>
> LocalRoot resolvers are welcome to fetch the zone using HTTP, 
> BitTorrent, or however else they like.  But when setting requirements 
> for LocalRoot resolvers, or standardizing publication points, we 
> should focus on making DNS a self-contained system that bootstraps 
> from TCP/IP in the simplest achievable way.
>
> If there are real concerns about the efficiency of zone distribution 
> in DNS, I would prefer to invest in correcting them within the DNS 
> protocol.  (IXFR seems well-suited to LocalRoot, but we could pretty 
> easily layer on ZSTD or something if needed.)
>
> I do see the appeal of taking this opportunity to break out of the 
> 13-letters paradigm.  However, I think caution is also warranted 
> there.  The proposed "root zone publication points" system effectively 
> introduces a hard dependency on HTTP, to accomplish the equivalent of 
> what DNS Priming does in-band.  I would prefer some form of in-band 
> priming, perhaps encoding the list of "AXFR root servers" into the 
> root zone.
>
> --Ben
> ------------------------------------------------------------------------
> *From:* George Michaelson <ggm@algebras.org>
> *Sent:* Saturday, January 24, 2026 3:53 AM
> *To:* dnsop WG <dnsop@ietf.org>
> *Subject:* [DNSOP] Re: DNSOP4 documents for consideration about the 
> future of LocalRoot behavior.
> One of the principal advantages of http to a file is that the world 
> has built out CDN to be efficient at back and front end delivery of 
> this content. I can name many many entities who could do this with 
> zero code simply by running cron job on
> One of the principal advantages of http to a file is that the world 
> has built out CDN to be efficient at back and front end delivery of 
> this content. I can name many many entities who could do this with 
> zero code simply by running cron job on a frequency chosen to fit 
> timely update, and then content placement in their normal distribution 
> method.
>
> This is very attractive to me. It means I can say to people who want 
> to help distribute the root, it's next to zero public facing code 
> change to be able to do it.
>
> Please do not misunderstand this as disrespecting in band in protocol 
> AXFR. My point is this increases the surface of participation in 
> broadcasting the root, as a public good, in ways which demanding 
> competency and literacy in DNS do not.
>
> G
>
> On Sat, 24 Jan 2026, 1:56 pm Wes Hardaker, <wjhns1@hardakers.net> wrote:
>
>     "John Levine" <johnl@taugh.com> writes:
>
>     > ICANN has two public AXFR servers at xfr.cjr.dns.icann.org
>     <https://urldefense.com/v3/__http://xfr.cjr.dns.icann.org__;!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuM1SmHpMF$>
>     and
>     > xfr.lax.dns.icann.org
>     <https://urldefense.com/v3/__http://xfr.lax.dns.icann.org__;!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuM6z3Pt0z$>.
>     How about asking them what their experience has
>     > been, how's the load, how hard is it to manage, how have they dealt
>     > with the sorts of attacks that people make on public servers.
>
>     If they have that information, of course it would be helpful.
>
>     I can tell you from the perspective of b.root-servers.net
>     <https://urldefense.com/v3/__http://b.root-servers.net__;!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuMxpk6WBm$>
>     what our load
>     has been like: it's been growing since 2022 or so (and we haven't
>     really
>     noticed any issues):
>
>     https://ant.isi.edu/~hardaker/tmp/xfr-counts-by-date.png
>     <https://urldefense.com/v3/__https://ant.isi.edu/*hardaker/tmp/xfr-counts-by-date.png__;fg!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuMyyxF0Cv$>
>
>     https://ant.isi.edu/~hardaker/tmp/xfr-counts-uniq-srcs.png
>     <https://urldefense.com/v3/__https://ant.isi.edu/*hardaker/tmp/xfr-counts-uniq-srcs.png__;fg!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuM62JmF7u$>
>
>     https://ant.isi.edu/~hardaker/tmp/xfr-counts-by-ASN.png
>     <https://urldefense.com/v3/__https://ant.isi.edu/*hardaker/tmp/xfr-counts-by-ASN.png__;fg!!Bt8RZUm9aw!4we9Qu0B3pricHKBRb6NS5ac3Z6zsJrLFxv8AO9QXPgRBl_G8EFpK3k9NM6khoLuM7ktvRGH$>
>
>     (the horizontal data points is 1 sample day every 3 months since
>     late 2016)
>
>     I'll mention again that the current documents state we should have
>     multiple protocol transfer options available for implementations and
>     operators to choose from.  This is sort of already case in existing
>     implementations and we should support those.  IMHO, AXFR should
>     definitely be one choice.  But a zonefile-over-HTTPS makes sense
>     to me too.
>
>     -- 
>     Wes Hardaker
>     Google
>
>     _______________________________________________
>     DNSOP mailing list -- dnsop@ietf.org
>     To unsubscribe send an email to dnsop-leave@ietf.org
>
>
> _______________________________________________
> DNSOP mailing list --dnsop@ietf.org
> To unsubscribe send an email todnsop-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status