Date: Sat, 18 Feb 2012 16:14:47 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Damien Fleuriot <ml@my.gd> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Jeremy Chadwick <freebsd@jdc.parodius.com> Subject: Re: DNS - slaving the root zone Message-ID: <4F403EF7.2090505@FreeBSD.org> In-Reply-To: <4F3F8A38.10303@my.gd> References: <4F3E5925.8020004@my.gd> <4F3EE984.8020007@FreeBSD.org> <4F3F8A38.10303@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/18/2012 03:23, Damien Fleuriot wrote: > > On 2/18/12 12:57 AM, Doug Barton wrote: >> >> To clarify, almost universally the opposition to the idea centers around >> the problems of users who enable this method, and then don't notice if >> something changes/breaks, resulting in a stale zone (or zones, depending >> on what you choose to slave). I have always acknowledged that this is a >> valid concern, just not one that I think overwhelms the virtues of doing >> the slaving in the first place. >> > > Could you elaborate on the "something changes/breaks, admin doesn't > notice, results in a stale zone" bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. > I fail to see the circumstances under which that could happen. I tend to agree, which is why I weight this particular objection pretty low. If you don't notice failed axfrs, you've already got deeper problems. :) To be fair however, there are a lot of people who believe (rightly or wrongly) that resolving DNS should be a "fire and forget" service. Those of us who do this for a living know that this was never true, and DNSSEC makes that even less true. However, if you happen to be one of those people, this method is not for you. > Indeed, been deleting the traditional hint file based . zone for a while > and using the slaving mechanism for over a year already, works fine > enough for us. I'm glad to hear that. Makes me feel that my efforts in this area have been worthwhile. > You have me somewhat worried with the bit about something breaking > though, thus the call for details ;) Understood. You don't seem to be the type of operator who is likely to run afoul here, FWIW. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F403EF7.2090505>