Date: Fri, 17 Feb 2012 15:57:56 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Damien Fleuriot <ml@my.gd> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Jeremy Chadwick <freebsd@jdc.parodius.com> Subject: Re: DNS - slaving the root zone Message-ID: <4F3EE984.8020007@FreeBSD.org> In-Reply-To: <4F3E5925.8020004@my.gd> References: <4F3E5925.8020004@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/17/2012 05:41, Damien Fleuriot wrote: > Hello list, Jeremy, Doug, > > > We're currently having a discussion on the FRnOG mailing list regarding > the laughable announcement of an attack on the DNS root servers by > Anonymous. Given their success at their previous endeavors, I wouldn't call it "laughable." Even if they are unsuccessful at taking down all of the root servers, if *your* particular part of the Internet gets knocked down, that's pretty important to you, right? OTOH, I think that actually doing what they state they want to do will be very difficult, and not likely to produce the results that they believe it will. However, unlike some in the DNS/Security communities I do not intend to outline the deficiencies in their plan, lest they take advantage of the opportunity to improve it. :) > I've kinda hijacked the thread to ask whether people slave the root zone > or not, and why if not. Well there is no secret that I (and many others) think it's a good idea. > Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer > pointed out that it might not be a good idea and submitted the following > discussion from 2007 as reference: > http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html I know Stephane professionally, and I respect his opinion about many topics. On this topic we disagree. > Do you still believe slaving the root zone to be a bad idea ? I never thought it was a bad idea. I've been suggesting that people do it for years. :) To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. hth, Doug - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB 5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ= =EmJF -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F3EE984.8020007>