Date: Sat, 18 Feb 2012 12:23:36 +0100 From: Damien Fleuriot <ml@my.gd> To: Doug Barton <dougb@FreeBSD.org> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Jeremy Chadwick <freebsd@jdc.parodius.com> Subject: Re: DNS - slaving the root zone Message-ID: <4F3F8A38.10303@my.gd> In-Reply-To: <4F3EE984.8020007@FreeBSD.org> References: <4F3E5925.8020004@my.gd> <4F3EE984.8020007@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/18/12 12:57 AM, Doug Barton wrote: > > To clarify, almost universally the opposition to the idea centers around > the problems of users who enable this method, and then don't notice if > something changes/breaks, resulting in a stale zone (or zones, depending > on what you choose to slave). I have always acknowledged that this is a > valid concern, just not one that I think overwhelms the virtues of doing > the slaving in the first place. > Could you elaborate on the "something changes/breaks, admin doesn't notice, results in a stale zone" bit ? I fail to see the circumstances under which that could happen. > The method currently in comments in /etc/namedb/named.conf suggests > servers generously provided by ICANN that are dedicated to allowing AXFR > of various infrastructure zones. (Note, ICANN does not necessarily > endorse the idea of slaving these zones for resolvers, but I do have > their permission to include these servers in our named.conf.) That > alleviates one of the other criticisms of slaving these zones, as it > presents no load on the actual root servers at all. > > So in short, this is an excellent idea, I've been doing it/recommending > it for years, and assuming you have the knowledge/ability to keep your > resolvers up to date (and/or you're tracking our named.conf where I do > it for you) then it's totally safe to do. > Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. You have me somewhat worried with the bit about something breaking though, thus the call for details ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F3F8A38.10303>