On Mon, May 23, 2011 at 12:42 PM, Jim Majorowicz <[email protected]> wrote: >> The challenge is that neustar.us (the primary registrar for US domains) >> isn't very good about updating the roots. > > Makes sense. I think after readying the blog entry Mike posted, it's > best if I set forwarders for my clients.
I may be missing something here, but I don't think Neustar's behavior actually has any impact on your question. All "root hints" are used for is to bootstrap a full-service resolver. The resolver uses the root hints to find a working root server, which it queries for a current copy of the root zone. That's it. Once your resolver has a current copy of the root zone, it can navigate the same public DNS namespace that the rest of the world sees. If Neustar changes the nameservers for <us.> and doesn't push an update to the root zone, everybody else -- your ISP included -- is going to have the same trouble. Forwarding, or not, won't help or hinder. That said, forwarders are usually a good idea. Your ISP may have the records you are looking for cached. They will then answer you faster than chasing the delegation chain will get you an answer. If not, they can prolly chase faster than you can, since they will be better connected (by definition -- they're your upstream feed). This will also reduce the load on your firewall, since DNS answers will now be coming from a few select resolvers, rather than potentially anybody in the DNS. The usual exceptions to "forwards are a good idea" are (1) your ISP's resolver is overloaded, so it is actually slower than your own resolver is, (2) you're multi-homed (more than one ISP), and thus don't want DNS tied to your ISPs, or (3) your ISP likes to rape the DNS in an attempt to turn typos into revenue. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
