Date: Wed, 31 Jan 2001 17:50:48 -0800 (PST) From: Matt Dillon <dillon@earth.backplane.com> To: sthaug@nethelp.no Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <200102010150.f111omZ23184@earth.backplane.com> References: <200101312327.f0VNRPv20077@earth.backplane.com> <28878.980985205@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:Disagree. The problem here is that named stops answering queries for a
:long time while it is sucking in the zone files. This is mostly a problem
:for servers with many thousands of domains - but in those cases it can be
:quite noticeable. Here's a server with 14000 zones:
:
:Jan 28 22:22:31 nn named[8645]: starting (/etc/named.conf). named 8.2.3-REL
Umm... respectfully, you are not configuring your system correctly
if the down time affects you.
This is what we did at BEST:
* Three machines running named , recursive enabled, not serving any
primary zones.
All machines and customers accessed these three DNS servers to do
lookups. We generally did not restart these, and when we did the
restarts were instantanious (since they weren't primary for any
zones).
* Three machines running named, non-recursive, ONLY used to serve
primary and secondary zones. At least 20,000 zones, dup'd to each
box.
We updated the primary DNS boxes four times a day. We updated the boxes
one at a time, so at any given moment only one was 'down'.
The DNS protocols handle the rest. It's perfectly acceptable for a
primary NS to be down as long as other primary NS's are up.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102010150.f111omZ23184>