this post was submitted on 21 Jul 2023
1433 points (98.9% liked)
Technology
60067 readers
5730 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What's the point of alternative DNS roots? Can they be a thing to mitigate DNS related failures (though lemmy.ml is back online, so I guess that wasn't it)?
An alternative DNS root is where someone other than IANA sets up a root zone. At the end of the day, root zone authority is technically not "hard coded". It's a terrible idea to set up an alt root or to use one for these reasons:
To answer your second question, they are not good for acting as a way to mitigate DNS failures. No domain servers are going to be asking them in the first place, meaning no one can get there even if it does have the "correct" answer. If all 13 root servers went down simultaneously, the results would be catastrophic. But that's also why they're physically located around the world in many different countries in heavily secure facilities with many High-Availability servers (clone servers that instantly take over if there's a failure, the ultimate "hot" server)
You wouldn't want to have a DNS server ask two root zones anyway. If it can't reach the root zones, then that needs to be addressed. You can't just ask a "less secure" server in case the primary doesn't work. That's just begging for a security breach via cutting off access to the primary root zones so that they "fail over" to the less secure ones.
Thank you for such a detailed and instructive answer!