From owner-freebsd-questions@FreeBSD.ORG Sun Feb 19 00:14:48 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 5E538106564A for ; Sun, 19 Feb 2012 00:14:48 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-197-151.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id CD017150B1F; Sun, 19 Feb 2012 00:14:47 +0000 (UTC) Message-ID: <4F403EF7.2090505@FreeBSD.org> Date: Sat, 18 Feb 2012 16:14:47 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:10.0.2) Gecko/20120218 Thunderbird/10.0.2 MIME-Version: 1.0 To: Damien Fleuriot References: <4F3E5925.8020004@my.gd> <4F3EE984.8020007@FreeBSD.org> <4F3F8A38.10303@my.gd> In-Reply-To: <4F3F8A38.10303@my.gd> X-Enigmail-Version: 1.3.5 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@freebsd.org" , Jeremy Chadwick Subject: Re: DNS - slaving the root zone X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 00:14:48 -0000 On 02/18/2012 03:23, Damien Fleuriot wrote: > > On 2/18/12 12:57 AM, Doug Barton wrote: >> >> To clarify, almost universally the opposition to the idea centers around >> the problems of users who enable this method, and then don't notice if >> something changes/breaks, resulting in a stale zone (or zones, depending >> on what you choose to slave). I have always acknowledged that this is a >> valid concern, just not one that I think overwhelms the virtues of doing >> the slaving in the first place. >> > > Could you elaborate on the "something changes/breaks, admin doesn't > notice, results in a stale zone" bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. > I fail to see the circumstances under which that could happen. I tend to agree, which is why I weight this particular objection pretty low. If you don't notice failed axfrs, you've already got deeper problems. :) To be fair however, there are a lot of people who believe (rightly or wrongly) that resolving DNS should be a "fire and forget" service. Those of us who do this for a living know that this was never true, and DNSSEC makes that even less true. However, if you happen to be one of those people, this method is not for you. > Indeed, been deleting the traditional hint file based . zone for a while > and using the slaving mechanism for over a year already, works fine > enough for us. I'm glad to hear that. Makes me feel that my efforts in this area have been worthwhile. > You have me somewhat worried with the bit about something breaking > though, thus the call for details ;) Understood. You don't seem to be the type of operator who is likely to run afoul here, FWIW. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/