On 08/15/2018 09:11 AM, Bob McDonald wrote:
I've recently been investigating having a local slave copy of the root
zone on a caching/forwarder type server. I've even put the local slave
copy of the root zone into a separate view accessed via a different
loopback address. (An limited example of this exists on the ISC site)
My question is this. Is there any benefit to also hosting local slave
copies of arpa., in-addr.arpa., and ip6.arpa.? Although FreeBSD now
comes with unbound as it's default DNS software, installing bind yields
an example named.conf which floats the concept of the local slave copies
of the above zones. (That is what led me down this path...)
I'm responsible for the slave zone configuration in the FreeBSD
named.conf. At least, I wrote the original version of it, and maintained
it for many years. The version located here looks essentially as I left
it:
https://svnweb.freebsd.org/ports/head/dns/bind913/files/named.conf.in?revision=470832&view=markup
Slaving the root and ARPA zones is a small benefit to performance for a
busy resolver, and as long as you maintain a watch on your logs to make
sure that slaving the zone does not fail, you're golden.
I understand the reasoning behind maintaining these zones in a separate
view, accessible only locally, but don't see any value in it. A resolver
is going to cache the answers it gets anyway.
This technique is particularly useful for folks in bad/expensive network
conditions. While the current anycast networks of root servers is much
better than it was "in the old days," the more data you have locally the
more resilient you are to DDOS against those targets.
In regards to production readiness, I've used it in heavy production at
numerous sites, as have thousands of FreeBSD users.
hope this helps,
Doug
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
