From owner-freebsd-current@FreeBSD.ORG Sat Aug 4 23:24:20 2007 Return-Path: Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1ADF16A418 for ; Sat, 4 Aug 2007 23:24:20 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with SMTP id 1E16E13C45A for ; Sat, 4 Aug 2007 23:24:19 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 2283 invoked by uid 399); 4 Aug 2007 23:24:19 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTP; 4 Aug 2007 23:24:19 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <46B50AA1.2080502@FreeBSD.org> Date: Sat, 04 Aug 2007 16:24:17 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.6 (X11/20070803) MIME-Version: 1.0 To: Oliver Fromme References: <200708030912.l739ChF5075798@lurza.secnetix.de> In-Reply-To: <200708030912.l739ChF5075798@lurza.secnetix.de> X-Enigmail-Version: 0.95.1 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: named.conf restored to hint zone for the root by default X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2007 23:24:20 -0000 Oliver Fromme wrote: > By the way, I have changed from hints to slaves on the DNS > servers for a large server farm (just testing right now; > I might go back to hints if I don't feel it's worth it). Depending on how many name servers you have you might get a bigger win by slaving the root to one server, then slaving it to the others from your "local master." If you're only talking about a few name servers it's probably not worth it though. > It _seems_ a few applications run with lower latency, but > I'll need to run some benchmarks in order to get some hard > numbers. If your stuff is relatively well behaved, and generally only queries a few TLDs you might not get much of a benefit in terms of reduced latency. In this scenario the main advantage is better resilience to a root DDoS. Where this technique really works well is a scenario where you are answering a lot of "random" queries that could potentially include invalid TLDs and other "junk." Not sending those queries to the roots helps reduce traffic for them and for you, and gives you much better latency on the inevitable NXDOMAIN response. hth, Doug -- This .signature sanitized for your protection