From owner-freebsd-questions@FreeBSD.ORG Sat Feb 18 11:23:40 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 140B3106564A; Sat, 18 Feb 2012 11:23:40 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 75FBA8FC0C; Sat, 18 Feb 2012 11:23:39 +0000 (UTC) Received: by wgbdq11 with SMTP id dq11so3442636wgb.31 for ; Sat, 18 Feb 2012 03:23:38 -0800 (PST) Received: by 10.180.100.228 with SMTP id fb4mr2770134wib.1.1329564218384; Sat, 18 Feb 2012 03:23:38 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net. [88.165.130.96]) by mx.google.com with ESMTPS id ft8sm2850048wib.11.2012.02.18.03.23.37 (version=SSLv3 cipher=OTHER); Sat, 18 Feb 2012 03:23:37 -0800 (PST) Message-ID: <4F3F8A38.10303@my.gd> Date: Sat, 18 Feb 2012 12:23:36 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1 MIME-Version: 1.0 To: Doug Barton References: <4F3E5925.8020004@my.gd> <4F3EE984.8020007@FreeBSD.org> In-Reply-To: <4F3EE984.8020007@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQlbp80v3A19Wcr/VuB1Aq47PzVPluQjq5gtdaTv+UzkB2nT3/3XIcu7FANhVM/CvO5U1saU Cc: "freebsd-questions@freebsd.org" , Jeremy Chadwick Subject: Re: DNS - slaving the root zone X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 11:23:40 -0000 On 2/18/12 12:57 AM, Doug Barton wrote: > > To clarify, almost universally the opposition to the idea centers around > the problems of users who enable this method, and then don't notice if > something changes/breaks, resulting in a stale zone (or zones, depending > on what you choose to slave). I have always acknowledged that this is a > valid concern, just not one that I think overwhelms the virtues of doing > the slaving in the first place. > Could you elaborate on the "something changes/breaks, admin doesn't notice, results in a stale zone" bit ? I fail to see the circumstances under which that could happen. > The method currently in comments in /etc/namedb/named.conf suggests > servers generously provided by ICANN that are dedicated to allowing AXFR > of various infrastructure zones. (Note, ICANN does not necessarily > endorse the idea of slaving these zones for resolvers, but I do have > their permission to include these servers in our named.conf.) That > alleviates one of the other criticisms of slaving these zones, as it > presents no load on the actual root servers at all. > > So in short, this is an excellent idea, I've been doing it/recommending > it for years, and assuming you have the knowledge/ability to keep your > resolvers up to date (and/or you're tracking our named.conf where I do > it for you) then it's totally safe to do. > Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. You have me somewhat worried with the bit about something breaking though, thus the call for details ;)