Re: named.conf restored to hint zone for the root by default
Doug Barton wrote: Oliver Fromme wrote: By the way, I have changed from hints to slaves on the DNS servers for a large server farm (just testing right now; I might go back to hints if I don't feel it's worth it). Depending on how many name servers you have you might get a bigger win by slaving the root to one server, then slaving it to the others from your local master. If you're only talking about a few name servers it's probably not worth it though. It's three name servers, and they're intended to be completely independent of each other. That's why I've configured each of them to retrieve the root zone of its own. It _seems_ a few applications run with lower latency, but I'll need to run some benchmarks in order to get some hard numbers. If your stuff is relatively well behaved, and generally only queries a few TLDs you might not get much of a benefit in terms of reduced latency. In this scenario the main advantage is better resilience to a root DDoS. Where this technique really works well is a scenario where you are answering a lot of random queries that could potentially include invalid TLDs and other junk. Not sending those queries to the roots helps reduce traffic for them and for you, and gives you much better latency on the inevitable NXDOMAIN response. The farm contains several mail servers with spam and virus scanners, http proxies with (roughly) several thousands of users, a few dozen web servers and other things. I think especially the mail scanners and the proxies generate some amount of dns junk queries. Thanks for your suggestions! Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd I made up the term 'object-oriented', and I can tell you I didn't have C++ in mind. -- Alan Kay, OOPSLA '97 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Aug 2, 2007, at 18:16, Kevin Oberman wrote: Also, the root zone is updated twice a day, every day (at least to the extent of a serial number bump) whether it is needed or not. Forcing the minimum refresh to once a day could delay the recognition of a new zone for up to a day and that is not a good thing. Well, if it's updated twice a day (every twelve hours), then use Nyquist and check every six hours. :) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Jo Rhett wrote: On Aug 3, 2007, at 6:12 PM, John Merryweather Cooper wrote: I would appreciate it if the personal attacks ceased. There was no personal attack there. I never called him names or made any remark about his lifestyle or anything else. I did say that he isn't paying attention to the people who disagree with him, but that is an observable fact. As an observer with no ax to grind on this issue, it is apparent that slaving the root zone is technically possible, but not necessarily good policy. Actually, it has been argued/shown-by-those-who-would-know that while you can do it, it won't work in a stable manner once everyone starts doing it. The protocol itself is not designed for many unknown associations, really. It would be nice if those arguing against slaving the root zone would articulate the specific effects on top-tier servers and quantify them. This has been done, both here and on the DNS Operations list where this is actually topical. Repeatedly. This topic is dead, horse beaten to crap, except that Doug Barton really loves this idea and won't listen to why it won't work, and why it shouldn't be done, and why he shouldn't have done it that way. He just keeps coming back and saying now lets talk about this some more... As another person with no ax to grind, my sense is that this was a professional albeit heated discussion. Briefly, it seems to me that Doug introduced changes with no prior discussion - this was his only real fault, and for this he has appropriately apologized. The result of the heated discussion was that the slave zone thingy was turned into an option rather than the default. As far as I am concerned, this is an entirely satisfactory resolution, and shows that the discussions had their desired effect. That the discussions became a little heated merely shows that we are human beings. The main thing is that everyone was upfront and honest about their agendas, and that the matter was resolved in the appropriate technical manner. Best regards, Stephen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Oliver Fromme wrote: By the way, I have changed from hints to slaves on the DNS servers for a large server farm (just testing right now; I might go back to hints if I don't feel it's worth it). Depending on how many name servers you have you might get a bigger win by slaving the root to one server, then slaving it to the others from your local master. If you're only talking about a few name servers it's probably not worth it though. It _seems_ a few applications run with lower latency, but I'll need to run some benchmarks in order to get some hard numbers. If your stuff is relatively well behaved, and generally only queries a few TLDs you might not get much of a benefit in terms of reduced latency. In this scenario the main advantage is better resilience to a root DDoS. Where this technique really works well is a scenario where you are answering a lot of random queries that could potentially include invalid TLDs and other junk. Not sending those queries to the roots helps reduce traffic for them and for you, and gives you much better latency on the inevitable NXDOMAIN response. hth, Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Doug Barton wrote: Oliver Fromme wrote: However, I noticed that the refresh interval of the root zone is 1800, i.e. it would be fetched every 30 minutes, No, refresh is how often the master servers are checked for serial number changes. True, I forgot about that. Thanks for reminding me. This is why what's suggested below is not a good idea either. Of course, you're right. By the way, I have changed from hints to slaves on the DNS servers for a large server farm (just testing right now; I might go back to hints if I don't feel it's worth it). It _seems_ a few applications run with lower latency, but I'll need to run some benchmarks in order to get some hard numbers. I will keep the hints zone on my office workstation and on my home machine. There seems to be consensus that slaving the root is not desirable in these cases. (Please correct me if I'm wrong.) Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd If Java had true garbage collection, most programs would delete themselves upon execution. -- Robert Sewell ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Aug 2, 2007, at 3:05 AM, Doug Barton wrote: I hope that we can now dial down the volume on the meta-issue of how the change was done, and focus on the operational issues of whether it's a good idea or not. Which has been answered to you, repeatedly, by the very people who know this best. A better question is what kind of beer/wine/cracker do we need to feed you so that your ears will open up and you'll start hearing the answers. -- Jo Rhett senior geek Silicon Valley Colocation Support Phone: 408-400-0550 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Aug 3, 2007, at 5:25 PM, Doug Barton wrote: I'm getting tired of repeating this. A lot of really smart people are lined up on BOTH sides of this issue. You might want to take another look at the threads about this on the OARC list (or even this list for that matter) and try to have an open mind. Repeating this is a bad idea over and over again doesn't make it more true. No, they aren't. I'm actually quite amazed at your resistance to hearing what is being said. Several people (not a lot) think that slaving the root zone makes some good operational sense in specific scenarios. One person thought that the world would be a better place if it were operationally possible. NOBODY thinks that this will work in the real world, today, in a stable manner. NOBODY thinks that having *every* home user slaving the root makes good sense, even if it was operationally possible. And NOBODY thinks that just doing it without asking first was a good way to handle it. I'm really not sure why I wasted the keystrokes to write this, because you've been consistently willing to ignore pretty much everything said to you so far. I guess I'm just praying that perhaps, just maybe, this time you'll start paying attention. -- Jo Rhett senior geek Silicon Valley Colocation Support Phone: 408-400-0550 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Fri, 3 Aug 2007, Jo Rhett wrote: On Aug 2, 2007, at 3:05 AM, Doug Barton wrote: I hope that we can now dial down the volume on the meta-issue of how the change was done, and focus on the operational issues of whether it's a good idea or not. Which has been answered to you, repeatedly, by the very people who know this best. Jo, I'm getting tired of repeating this. A lot of really smart people are lined up on BOTH sides of this issue. You might want to take another look at the threads about this on the OARC list (or even this list for that matter) and try to have an open mind. Repeating this is a bad idea over and over again doesn't make it more true. Doug -- If you're never wrong, you're not trying hard enough ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Aug 3, 2007, at 6:12 PM, John Merryweather Cooper wrote: I would appreciate it if the personal attacks ceased. There was no personal attack there. I never called him names or made any remark about his lifestyle or anything else. I did say that he isn't paying attention to the people who disagree with him, but that is an observable fact. As an observer with no ax to grind on this issue, it is apparent that slaving the root zone is technically possible, but not necessarily good policy. Actually, it has been argued/shown-by-those-who-would-know that while you can do it, it won't work in a stable manner once everyone starts doing it. The protocol itself is not designed for many unknown associations, really. It would be nice if those arguing against slaving the root zone would articulate the specific effects on top-tier servers and quantify them. This has been done, both here and on the DNS Operations list where this is actually topical. Repeatedly. This topic is dead, horse beaten to crap, except that Doug Barton really loves this idea and won't listen to why it won't work, and why it shouldn't be done, and why he shouldn't have done it that way. He just keeps coming back and saying now lets talk about this some more... -- Jo Rhett senior geek Silicon Valley Colocation Support Phone: 408-400-0550 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Jo Rhett wrote: On Aug 3, 2007, at 5:25 PM, Doug Barton wrote: I'm getting tired of repeating this. A lot of really smart people are lined up on BOTH sides of this issue. You might want to take another look at the threads about this on the OARC list (or even this list for that matter) and try to have an open mind. Repeating this is a bad idea over and over again doesn't make it more true. No, they aren't. I'm actually quite amazed at your resistance to hearing what is being said. Several people (not a lot) think that slaving the root zone makes some good operational sense in specific scenarios. One person thought that the world would be a better place if it were operationally possible. NOBODY thinks that this will work in the real world, today, in a stable manner. NOBODY thinks that having *every* home user slaving the root makes good sense, even if it was operationally possible. And NOBODY thinks that just doing it without asking first was a good way to handle it. I'm really not sure why I wasted the keystrokes to write this, because you've been consistently willing to ignore pretty much everything said to you so far. I guess I'm just praying that perhaps, just maybe, this time you'll start paying attention. I would appreciate it if the personal attacks ceased. As an observer with no ax to grind on this issue, it is apparent that slaving the root zone is technically possible, but not necessarily good policy. It would be nice if those arguing against slaving the root zone would articulate the specific effects on top-tier servers and quantify them. As it is, this thread is painful to read because of the dross-to-substance ratio being rather high. jmc ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
named.conf restored to hint zone for the root by default
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 In an effort to find some kind of balance (I won't even try to say consensus) between those who hate the idea of slaving the root zones, those who like the idea but don't want it to be the default, and those who like the idea, I've made the following change: 1. Change the default behavior back to using a hint zone for the root. 2. Leave the root slave zone config as a commented out example. 3. Remove the B and F root servers from the example at the request of their operators. I hope that we can now dial down the volume on the meta-issue of how the change was done, and focus on the operational issues of whether it's a good idea or not. FYI, Doug - -- This .signature sanitized for your protection -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFGsax1yIakK9Wy8PsRA9ilAJ0RwNqVm3qOaCS2RXOqAOte6pCajgCfWmOF J124uJLcCaBdRGk3Smk7KVI= =tr+m -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Skip Ford wrote: If the operators were required to support it, I think everyone should slave the roots, not just those running busy servers. Actually I don't think that's the right way to do it at all. What is needed here is a reliable (DNSSEC, or at least TSIG) out of band method to allow the masses to slave the root without loading the root servers themselves. I'd like to see consensus and resources build around that. ICANN is making some tentative steps in that direction already: https://ns.iana.org/dnssec/status.html Just like I'd think everyone should sync with stratum-1 servers if those operators supported everyone doing that. I've already pointed out that this is a silly analogy, as the two things have nothing in common. At the most basic level: Individual hosts don't need Everyone needs the root data to sync with a strat 1 ntpd The strat 1 folks have askedThe roots are open to all by design people not to do that -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Doug Barton wrote: In an effort to find some kind of balance (I won't even try to say consensus) between those who hate the idea of slaving the root zones, those who like the idea but don't want it to be the default, and those who like the idea, I've made the following change: 1. Change the default behavior back to using a hint zone for the root. 2. Leave the root slave zone config as a commented out example. 3. Remove the B and F root servers from the example at the request of their operators. I hope that we can now dial down the volume on the meta-issue of how the change was done, and focus on the operational issues of whether it's a good idea or not. Thanks. I'm afraid the consensus has to come from the operators, not from FreeBSD folks. If the operators were required to support it, I think everyone should slave the roots, not just those running busy servers. Just like I'd think everyone should sync with stratum-1 servers if those operators supported everyone doing that. -- Skip ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Thu, Aug 02, 2007 at 06:34:59AM -0400, Skip Ford wrote: Doug Barton wrote: In an effort to find some kind of balance (I won't even try to say consensus) between those who hate the idea of slaving the root zones, those who like the idea but don't want it to be the default, and those who like the idea, I've made the following change: 1. Change the default behavior back to using a hint zone for the root. 2. Leave the root slave zone config as a commented out example. 3. Remove the B and F root servers from the example at the request of their operators. I hope that we can now dial down the volume on the meta-issue of how the change was done, and focus on the operational issues of whether it's a good idea or not. Thanks. I'm afraid the consensus has to come from the operators, not from FreeBSD folks. If the operators were required to support it, I think everyone should slave the roots, not just those running busy servers. Just like I'd think everyone should sync with stratum-1 servers if those operators supported everyone doing that. pool.root-servers.net sounds like a good idea :-) Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]| Weblog: http://www.mavetju.org/weblog/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. However, I noticed that the refresh interval of the root zone is 1800, i.e. it would be fetched every 30 minutes, even though the zone seems to be updated at most once per day. Therefore, wouldn't it make sense to add the following option to the slave zones? min-refresh-time 86400; Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Perl will consistently give you what you want, unless what you want is consistency. -- Larry Wall ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Oliver Fromme wrote: Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. Thanks. However, I noticed that the refresh interval of the root zone is 1800, i.e. it would be fetched every 30 minutes, No, refresh is how often the master servers are checked for serial number changes. It's only fetched when the serial is updated. even though the zone seems to be updated at most once per day. The serial is updated twice a day whether there are content changes to the zone or not. Whether this is a good practice or not is an open question. In the odd chance that a change is introduced which is found to be bad for some reason, the zone can be updated more frequently than twice a day. This hasn't happened very often, but it has happened. This is why what's suggested below is not a good idea either. hth, Doug Eygene Ryabinkin wrote: Doug, good day. Thu, Aug 02, 2007 at 03:14:38AM -0700, Doug Barton wrote: Matthew Dillon wrote: It has always seemed to me that actually downloading a physical root zone file once a week is the most reliable solution. This is a really bad idea. The root zone changes slowly, but it often changes more than once a week. Add to that the more-rapid deployment of new TLDs nowadays and the occasional complete reprovisioning of an existing TLD, and one week is too long to go between updates. But if one will pull the root zone via FTP/HTTP at the zone's refresh rate or so -- will it be still a bad idea, compared to the AXFR method? -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
On Thu, Aug 02, 2007 at 01:49:39PM -0700, Doug Barton wrote: Oliver Fromme wrote: Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. I second this. And although I like Doug's use of AXFR from the roots (like others reported, it definitely speeds things up), I also want to continue to respect rootserver operators and dns-ops's concerns. So offering the template configuration to do so, but not enabling it by default, is a very good thing. Thank you for doing this, Doug. | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Jeremy Chadwick wrote: On Thu, Aug 02, 2007 at 01:49:39PM -0700, Doug Barton wrote: Oliver Fromme wrote: Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. I second this. And although I like Doug's use of AXFR from the roots (like others reported, it definitely speeds things up), I also want to continue to respect rootserver operators and dns-ops's concerns. Something that I haven't mentioned but I think is probably worth pointing out is that at least for Paul Vixie (operator of f.root) the concern is not for the root servers, it's for potential problems on the client side. The following is from http://lists.oarci.net/pipermail/dns-operations/2007-August/001920.html i remain perplexed about the general perception that AXFR is bad for a root name server. it's not. RFC1035 describes some resource management techniques for TCP state blobs, which the root servers follow. the chance that an AXFR will be blown away by a TCP query is very high, and so, it's bad for clients to make production use of AXFR from busy servers.i remain perplexed about the general perception that AXFR is bad for a root name server. it's not. RFC1035 describes some resource management techniques for TCP state blobs, which the root servers follow. the chance that an AXFR will be blown away by a TCP query is very high, and so, it's bad for clients to make production use of AXFR from busy servers. The 3 zones in question are actually really small: -rw-r--r-- 1 bind wheel 1.6K Aug 2 14:25 arpa.slave -rw-r--r-- 1 bind wheel23K Aug 2 14:24 in-addr.arpa.slave -rw-r--r-- 1 bind wheel64K Aug 2 14:30 root.slave so I'm not sure how much of a problem this is in practice. So offering the template configuration to do so, but not enabling it by default, is a very good thing. Thank you for doing this, Doug. Glad to do it. I'm also glad to see that this topic is getting serious discussion. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Date: Thu, 2 Aug 2007 22:42:47 +0200 (CEST) From: Oliver Fromme [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. However, I noticed that the refresh interval of the root zone is 1800, i.e. it would be fetched every 30 minutes, even though the zone seems to be updated at most once per day. Therefore, wouldn't it make sense to add the following option to the slave zones? min-refresh-time 86400; Once again...refesh is not the time between zone transfers. It is the time between serial number checks on the root SOA. Only if the SOA differs is the zone transferred. The SOA queries to root (one per DNS server every half hour) is not an issue according to Paul Vixie. Also, the root zone is updated twice a day, every day (at least to the extent of a serial number bump) whether it is needed or not. Forcing the minimum refresh to once a day could delay the recognition of a new zone for up to a day and that is not a good thing. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 pgp1nCPBFnysA.pgp Description: PGP signature
Re: named.conf restored to hint zone for the root by default
Jeremy Chadwick wrote: On Thu, Aug 02, 2007 at 01:49:39PM -0700, Doug Barton wrote: Oliver Fromme wrote: Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. I second this. And although I like Doug's use of AXFR from the roots (like others reported, it definitely speeds things up), I also want to continue to respect rootserver operators and dns-ops's concerns. Something that I haven't mentioned but I think is probably worth pointing out is that at least for Paul Vixie (operator of f.root) the concern is not for the root servers, it's for potential problems on the client side. The following is from http://lists.oarci.net/pipermail/dns-operations/2007-August/001920.html i remain perplexed about the general perception that AXFR is bad for a root name server. it's not. RFC1035 describes some resource management techniques for TCP state blobs, which the root servers follow. the chance that an AXFR will be blown away by a TCP query is very high, and so, it's bad for clients to make production use of AXFR from busy servers.i remain perplexed about the general perception that AXFR is bad for a root name server. it's not. RFC1035 describes some resource management techniques for TCP state blobs, which the root servers follow. the chance that an AXFR will be blown away by a TCP query is very high, and so, it's bad for clients to make production use of AXFR from busy servers. The 3 zones in question are actually really small: -rw-r--r-- 1 bind wheel 1.6K Aug 2 14:25 arpa.slave -rw-r--r-- 1 bind wheel23K Aug 2 14:24 in-addr.arpa.slave -rw-r--r-- 1 bind wheel64K Aug 2 14:30 root.slave so I'm not sure how much of a problem this is in practice. I also suspect that using accept filters will mitigate some of the problem. If someone was to write a DNS accept filter that would help. So offering the template configuration to do so, but not enabling it by default, is a very good thing. Thank you for doing this, Doug. Glad to do it. I'm also glad to see that this topic is getting serious discussion. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Hi, Just for the record, I like the current solution, i.e. default being a hint zone, and slave zones being commented out, ready to be used for those who know what they're doing. However, I noticed that the refresh interval of the root zone is 1800, i.e. it would be fetched every 30 minutes, even though the zone seems to be updated at most once per day. Therefore, wouldn't it make sense to add the following option to the slave zones? No, it is *NOT* fetched ever 30 minutes. The SOA is queried every 30 minutes (via UDP) and if the serial has increased then the zone is fetched. min-refresh-time 86400; No. Let the root server operators make that choice. The refresh / retry limits in named are there for ISP's which slave 10's of thousands of client zones. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Perl will consistently give you what you want, unless what you want is consistency. -- Larry Wall ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
I've been using a stub root zone for years without a problem. -- Christopher ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf restored to hint zone for the root by default
Doug Barton wrote: Skip Ford wrote: Just like I'd think everyone should sync with stratum-1 servers if those operators supported everyone doing that. I've already pointed out that this is a silly analogy, as the two things have nothing in common. At the most basic level: Individual hosts don't need Everyone needs the root data to sync with a strat 1 ntpd The strat 1 folks have asked The roots are open to all by design people not to do that It really is an apt analogy. You don't see it because you believe the roots are open to all. If they really were open to all, there would've been no objections to your change. The methods by which the data made available by the roots is available to all is well-defined, and AXFR isn't included in that definition. In fact, it's recommended against. -- Skip ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]