From owner-freebsd-current@FreeBSD.ORG  Thu Aug  2 08:43:17 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A22F516A41A;
	Thu,  2 Aug 2007 08:43:17 +0000 (UTC) (envelope-from dfr@rabson.org)
Received: from itchy.rabson.org (unknown [IPv6:2001:618:400::50b1:e8f2])
	by mx1.freebsd.org (Postfix) with ESMTP id 2900313C4B6;
	Thu,  2 Aug 2007 08:43:16 +0000 (UTC) (envelope-from dfr@rabson.org)
Received: from [80.177.232.250] (herring.rabson.org [80.177.232.250])
	by itchy.rabson.org (8.13.3/8.13.3) with ESMTP id l728gFDn089116;
	Thu, 2 Aug 2007 09:42:15 +0100 (BST) (envelope-from dfr@rabson.org)
From: Doug Rabson <dfr@rabson.org>
To: Randy Bush <randy@psg.com>
In-Reply-To: <18097.22498.575342.155398@roam.psg.com>
References: <46B01D5E.6050004@psg.com>
	<20070801110727.GC59008@menantico.com> <46B0EDEA.8050608@FreeBSD.org>
	<20070801211320.GE59008@menantico.com> <46B10A28.8000908@FreeBSD.org>
	<46B12E06.5030809@isc.org>  <18097.22498.575342.155398@roam.psg.com>
Content-Type: text/plain
Date: Thu, 02 Aug 2007 09:42:15 +0100
Message-Id: <1186044135.1264.23.camel@herring.rabson.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.10.2 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.87.1/3846/Wed Aug 1 08:27:07 2007 on itchy.rabson.org
X-Virus-Status: Clean
Cc: Doug Barton <dougb@freebsd.org>,
	FreeBSD Stable <freebsd-stable@freebsd.org>,
	Peter Losher <Peter_Losher@isc.org>,
	FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: default dns config change causing major poolpah
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2007 08:43:17 -0000

On Wed, 2007-08-01 at 18:04 -1000, Randy Bush wrote:
> > in addition nowhere does it state in RFC2870 that the root-servers have to
> > accept AXFR's as part of their service.
> 
> in fact, the opposite
> 
>    2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
>        queries from clients other than other root servers.  This
>        restriction is intended to, among other things, prevent
>        unnecessary load on the root servers as advice has been heard
>        such as "To avoid having a corruptible cache, make your server a
>        stealth secondary for the root zone."  The root servers MAY put
>        the root zone up for ftp or other access on one or more less
>        critical servers.

I think this makes it completely clear that we should not be trying to
use the AXFR service from any of the root servers. Expert users can do
what they like but making our default configuration use a service which
is documented in the current best practices document as being
unsupported seems foolish.