On 30. 10. 25 16:46, Geoff Huston wrote:
On 30 Oct 2025, at 3:31 pm, Randy Bush <randy@psg.com> wrote:
The surprising thing to me about this is that anybody thinks this is surprising. Evi Nemeth wrote about this over 20 years ago.
indeed
but a question. what are one or two simple things that operators could do to have useful impact?
again: one or two. simple. impact.
Great question Randy. For a bind resolver adding
zone "." { type mirror; };
to your local configuration will have a useful impact. simple. immediate.
Geoff, do you have data which compare properties of these two BIND configs? a) zone "." { type mirror; }; b) // empty config file I'm very eager to see data! Personally I would think RFC8198 and DNSSEC validation, both of which are on by default in current BIND versions, should result in behavior closer to optimal than plain mirror zone enabled in all configs. My thinking it - most resolvers will not query _all_ of NSEC ranges and DS RRs in the root zone during single day, thus most of the AXFR content would be wasted on most of the resolvers. I'm trying to say - for well behaved resolver implementation, I don't think mirror zone vs. RFC8198 is absolutely clear winner as you propose above. Personally I postulate vast majority of traffic at root is NOT from caching recursive resolvers but in fact from some other sources of junk, and so changing behavior of caching recursive resolvers will not have useful impact on root zone traffic. But I don't have data. Do you have some? -- Petr Špaček Internet Systems Consortium