On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the
root, is "dangerous." If slaving zones is dangerous, the DNS is way
more fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the root zone stressed
that it should only be done for localhost and / or a special config that
could only impact the single host if (implying when) there was a
problem, thus limiting the scope of negative impact.
I combined that and the potential unvalidated zone transfer allowing
""corruption and called it "dangerous".
I don't think there is anything dangerous about slave zone transfers at
all. I've been doing them for the better part of 20 years.
I think the ""danger, if any, is the fact that the discussion was around
the root zone and the potential impact of the blast radius if things
went wrong. Namely all client machines that used the DNS server in
question.
The DNSSEC validation errors that Tony references are self-healing, in
that if the validating resolver stops validating things, the operator
is hopefully going to notice that, and take steps to fix it.
Sadly, the small user base that I've had, has been more likely to not
tell me about problems and live with things or change things to use
other servers without providing that desired ~> needed feedback loop.
I am certainly open to the new mirror zone software doing awesome
things, don't get me wrong. But don't call something "dangerous" that
lots of people have already been using successfully for over 15 years.
Sorry for the poor choice of words.
Fair enough, no harm in challenging assumptions, etc. I have never said
that slaving the root is for everyone, and you've illustrated some good
reasons why.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users