From owner-freebsd-questions@FreeBSD.ORG Fri Feb 17 23:59:27 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 9154E1065670 for ; Fri, 17 Feb 2012 23:59:27 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-150-251.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 9CDE5B26F8; Fri, 17 Feb 2012 23:57:56 +0000 (UTC) Message-ID: <4F3EE984.8020007@FreeBSD.org> Date: Fri, 17 Feb 2012 15:57:56 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:10.0.1) Gecko/20120213 Thunderbird/10.0.1 MIME-Version: 1.0 To: Damien Fleuriot References: <4F3E5925.8020004@my.gd> In-Reply-To: <4F3E5925.8020004@my.gd> X-Enigmail-Version: 1.3.5 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@freebsd.org" , Jeremy Chadwick Subject: Re: DNS - slaving the root zone X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 23:59:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/17/2012 05:41, Damien Fleuriot wrote: > Hello list, Jeremy, Doug, > > > We're currently having a discussion on the FRnOG mailing list regarding > the laughable announcement of an attack on the DNS root servers by > Anonymous. Given their success at their previous endeavors, I wouldn't call it "laughable." Even if they are unsuccessful at taking down all of the root servers, if *your* particular part of the Internet gets knocked down, that's pretty important to you, right? OTOH, I think that actually doing what they state they want to do will be very difficult, and not likely to produce the results that they believe it will. However, unlike some in the DNS/Security communities I do not intend to outline the deficiencies in their plan, lest they take advantage of the opportunity to improve it. :) > I've kinda hijacked the thread to ask whether people slave the root zone > or not, and why if not. Well there is no secret that I (and many others) think it's a good idea. > Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer > pointed out that it might not be a good idea and submitted the following > discussion from 2007 as reference: > http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html I know Stephane professionally, and I respect his opinion about many topics. On this topic we disagree. > Do you still believe slaving the root zone to be a bad idea ? I never thought it was a bad idea. I've been suggesting that people do it for years. :) To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. hth, Doug - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB 5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ= =EmJF -----END PGP SIGNATURE-----