Randy Bush <randy@psg.com> writes:
what's new? how about the operational technical effects, like data from modeling various resolvers' responses to a large root zone?
I think the proper model is popular TLDs, perhaps the traditional gTLDs. As any (even former) decent sized TLD operator can tell you, both BIND and NSD are both quite functional for this, and there are also some proprietary authoritative nameservers out there that have excellet performance. Getting north of 100k queries/second answered authoritatively [*] from a single nameserver process on a single box (large zone, millions of records) is almost something one can do with an out of the box config. Things can get hairy with high update rates, so I'd encourage ICANN to dig in its heels about the 2x per day update rate, though even if they did it on demand, the $185k fee is probably sufficient to keep the number of delegations, and thus updates, down to a dull roar. An interesting question is what the load effects will be on the root. Inasmuch as the root operators (who can provide more detailed data themselves) send NXDOMAIN, REFUSED, or some SOL-semantically-similar response to 99%+ of the queries they get already, even a two order of magnitude lift on the number of legit queries will result in only a 2x lift in load on the roots. The operative question is "is two orders of magnitude a safe guess?". I don't have a good answer for that. The team over at ICANN has already likely thought this through in insane detail and I'm not saying anything new (to them anyway). Maybe they can speak to it. -r [*] to be pedantic, the AA flag is not set on the response to an NS query to a delegating nameserver. We'll call it authoritative anyway, since it is for the zone in which the delegation lives. :-P