From owner-freebsd-hubs@FreeBSD.ORG Wed Feb 26 15:37:40 2014 Return-Path: Delivered-To: freebsd-hubs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 316F199A for ; Wed, 26 Feb 2014 15:37:40 +0000 (UTC) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9DF0B169E for ; Wed, 26 Feb 2014 15:37:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [IPv6:2001:8a8:1005:1::4]) (authenticated bits=0) by batman.home4u.ch (8.14.5/8.14.5) with ESMTP id s1QFbaw1012714 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 26 Feb 2014 16:37:36 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <530E0A40.3030103@wenks.ch> Date: Wed, 26 Feb 2014 16:37:36 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-hubs@freebsd.org Subject: Re: Future of DNS, DNSSEC, country code delegations, etc. References: <530C59D7.30204@wemm.org> In-Reply-To: <530C59D7.30204@wemm.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hubs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "FreeBSD Distributions Hubs: mail sup ftp" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 15:37:40 -0000 Hello Peter On 25.02.14 09:52, Peter Wemm wrote: > We (freebsd.org) use ISC's global anycasted ISC-SNS dns servers. In our > experience they have excellent coverage around the world so we'd prefer to > fold the *.cc.freebsd.org zone into the main freebsd.org zone (like > wwwN.us.freebsd.org and ftpN.us.freebsd.org are right now). Actual > sub-zones could be done if there's a regional reachability problem but I > would rather not unless we absolutely had to. In the end this is the right thing to do. Even if there are two different points of view, even from myself. One is from me as the ch.freebsd.org DNS zone operator, which I am proud of doing it for the FreeBSD project. But as it can be seen in [1], I also have some unresolved challenges. I even did forward this to cvsup-master@ in December without any answer yet. As I put workarounds in place, it is not critical, but also not a nice and permanent solution. [1] http://lists.freebsd.org/pipermail/freebsd-hubs/2013-October/002699.html And the other one is from me as a FreeBSD user depending and trusting into the project infrastructure (which also includes the cc.freebsd.org DNS zones and severs) and the people who operate it. In retrospect to how easy it was to become the operator of the ch.freebsd.org DNS zone (it was handed over to me from a friend who run it before), this also worries me. If I would e.g. point DNS entries to rogue servers, I could probably cause some damage to users using it. This is something which I will never do, as in the end this would hurt my own reputation. So I support the decision that the FreeBSD project itself should operate the cc DNS zones on their own infrastructure. I think the argument about regional reachability can probably be ignored, because if a regional resolving DNS server does not already know on which DNS server e.g. the ch.freebsd.org DNS zone is, it still needs to resolve this through the root and then the freebsd.org DNS servers. bye Fabian