Warren Kumari (Google) and Paul Hoffman (VPN Consortium) discussed their draft to permit recursive DNS resolvers to fetch the signed root zone, and serve it. A remarkably sensible, and cautious approach to finding the bootstrapping ‘cache’ of data which normally has to be fetched from one of the 13 magic root NameServers (NS). (Remember there are significantly more than 13 actual servers, just 13 ‘labels’ which can be the servers. About 500 actual instances exist worldwide using Anycast IP routing to localize which is seen.)
Oddly, they seem to have taken a hugely cautious approach to doing this. They go out of their way to remove the authority bit (AA) signal which roots use to say they are publishing data of their origination, and don’t claim to be widening the root, just taking a mechanism out into the air on how to fetch the root data into the caching resolver community. This is probably about the politics more than the technology. They don’t want to tread on the root operations toes!
A “competing” draft proposes modifying the root priming message to permit a couple more NS addresses to be added, and having IANA hold title to these to be anycast by any agency which wants to offer the root. This would make the root more like AS112. It shares the requirement that the zone be signed, since that’s the basis of trusting the contents irrespective of who serves it. They also rely on DNSSEC signed updates to propagate the changes to the zone but then have no synchronization/distribution issue since its all built into the DNS protocols.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.