[dnssec-deployment] A gazillion new TLDs

Paul Vixie paul at vix.com
Fri Jun 27 10:10:03 EDT 2008

i'm bundling two on-topic responses to try to limit thread splay:

> From: Scott Rose <scottr at nist.gov>
> Assuming there are a lot of new TLD's added and most/all of the new TLD's
> deploy DNSSEC there will be two noticable impacts:
> 1.  Caches will grow even larger (if resolvers query for names in these new
> TLDs)

i won't use steve's word ("silly") since it might upset people.  instead let
me say that #1 as stated above seems to be a nonsequitur.  cache size depends
on overall namespace size, and then as you say, working set size.  neither
the overall namespace nor the working set will be made different just because
the shape of the namespace (more TLDs) changes.

i'm on record, many times over the last decade, that a million TLDs is not
going to change the root server system's provisioning, nor the average joe's
cache size, at all.  it's only when names get used that any of this matters,
and most of the traffic hitting the root name servers is complete garbage and
is probably going to continue to be complete garbage.

(the fix to that would be if nobody could be on the internet if they didn't
properly implement negative caching, and, if NXDOMAIN responses could say not
just that the name you queried doesn't exist, but that the TLD you're trying
doesn't exist, so please negatively cache that.  neither of these things is
ever going to happen, so, the root servers are massively overprovisioned, and
within the headroom we have to maintain to handle the garbage, a million more
TLDs would be noise by comparison.)


> From: Edward Lewis <Ed.Lewis at neustar.biz>
> ...
> ...  Will the current informal arrangement of the (ICANN) root servers hold
> - I mean, lacking accountability by the operators to ICANN?

this is another ... i won't say silly ... nonsequitur.  the current informal
arrangement of the internet's (not icann's per se) root name servers will
hold, regardless.  and while some of us do have some accountability to icann,
that isn't what makes the current informal arrangement so robust.  please,
folks, if you want to solve some problem, go and find one first.  anybody who
thinks they've found a weakness in the root name server system should raise
their concerns directly.  don't presume, and don't imply.


More information about the Dnssec-deployment mailing list