Re: Local Slave copy of root zone

Tue, 21 Aug 2018 22:21:57 -0700 

On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:

On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the root, is "dangerous." If slaving zones is dangerous, the DNS is way more fragile than it already is. 

Sorry, poor chose of words.


The last time I read the RFC discussing slaving the root zone stressed 
that it should only be done for localhost and / or a special config that 
could only impact the single host if (implying when) there was a 
problem, thus limiting the scope of negative impact.



I combined that and the potential unvalidated zone transfer allowing 
""corruption and called it "dangerous".



I don't think there is anything dangerous about slave zone transfers at 
all.  I've been doing them for the better part of 20 years.



I think the ""danger, if any, is the fact that the discussion was around 
the root zone and the potential impact of the blast radius if things 
went wrong.  Namely all client machines that used the DNS server in 
question.



The DNSSEC validation errors that Tony references are self-healing, in 
that if the validating resolver stops validating things, the operator 
is hopefully going to notice that, and take steps to fix it.



Sadly, the small user base that I've had, has been more likely to not 
tell me about problems and live with things or change things to use 
other servers without providing that desired ~> needed feedback loop.



I am certainly open to the new mirror zone software doing awesome 
things, don't get me wrong. But don't call something "dangerous" that 
lots of people have already been using successfully for over 15 years.


Sorry for the poor choice of words.



Fair enough, no harm in challenging assumptions, etc. I have never said 
that slaving the root is for everyone, and you've illustrated some good 
reasons why.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users























					Reply via email to