Hacker News Re-Imagined

Hi.

The root servers use anycast, so you can figure there are "several" nameservers with the same address scattered around the 'tubes, and distinguished by the routes announced in different places.

There are and have been alternate roots since the beginnings of internet time, notiwthstanding Mockapetris' opinion that people who advertise false root should be shot.

Writing a decent recursive nameserver is nontrivial, I've written several for specific purposes but generally I use BIND.

I concur that running a recursive server for your SMTP server is best practice because network intelligence is oftentimes utilized for spam / malware mitigation. I'm unclear why you need it for e.g. HTTP.

> few root servers with a few people that have keys to them

Well, kind of. As said, there are quite a few root servers although the control is in the hands of relatively few. Maybe you realize this, maybe you don't but yes there are keys for DNSSEC. I'm not sure exactly how it works, but several people have to cooperate to sign the root zone. They have key signing ceremonies which are televised online. During COVID I watched them drill a lockbox, because one of the keyholders couldn't make it to the ceremony; fun times.

  • 3 months ago

  • @m3047
  • Created a post



@DyslexicAtheist 3 months

Replying to @m3047 🗣

> but yes there are keys for DNSSEC

why would you want DNSSEC?

Reply


@bullen 3 months

Replying to @m3047 🗣

I don't like anycast because I think it requires BGP and backbone access or similar expensive stuff. DNS should have had regions in the main protocol so that people in EU don't use a DNS server in Asia f.ex. But it's too late for that now.

I might use geolocation on my DNS replies, and unfortunately here is the 2nd flaw of DNS, the replies should follow the sent order, because as the protocol works now you either get round-robin redundancy or direct your users to the hopefully correct continent, you can't have both!

As for my brute force workaround: I use IPs for connecting as often as I can, and the hostname is just for virtual hosting to work.

So all my applications have euro., asia. and iowa. prefixes and when outside of a browser I can "hardcode" the IPs so that extra second of lookup never hits my users.

Ofcourse that requires fixed IPs and open port 53 which is something every home fiber owner should ask for to distribute the internet again!

Reply


@bvm 3 months

Replying to @m3047 🗣

https://www.youtube.com/watch?v=CVukpkWAp4Y

here is a link to the key signing ceremony if, like I was, you are interested.

Maybe it's the englisher in me, but I was hoping for more grandeur, perhaps some kind of ceremonial mace or at least a benediction.

Reply


About Us

site design / logo © 2022 Box Piper