DNS - slaving the root zone

Doug Barton dougb at FreeBSD.org
Fri Feb 17 23:59:27 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/17/2012 05:41, Damien Fleuriot wrote:
> Hello list, Jeremy, Doug,
> 
> 
> We're currently having a discussion on the FRnOG mailing list regarding
> the laughable announcement of an attack on the DNS root servers by
> Anonymous.

Given their success at their previous endeavors, I wouldn't call it
"laughable." Even if they are unsuccessful at taking down all of the
root servers, if *your* particular part of the Internet gets knocked
down, that's pretty important to you, right?

OTOH, I think that actually doing what they state they want to do will
be very difficult, and not likely to produce the results that they
believe it will. However, unlike some in the DNS/Security communities I
do not intend to outline the deficiencies in their plan, lest they take
advantage of the opportunity to improve it. :)

> I've kinda hijacked the thread to ask whether people slave the root zone
> or not, and why if not.

Well there is no secret that I (and many others) think it's a good idea.

> Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer
> pointed out that it might not be a good idea and submitted the following
> discussion from 2007 as reference:
> http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html

I know Stephane professionally, and I respect his opinion about many
topics. On this topic we disagree.

> Do you still believe slaving the root zone to be a bad idea ?

I never thought it was a bad idea. I've been suggesting that people do
it for years. :)

To clarify, almost universally the opposition to the idea centers around
the problems of users who enable this method, and then don't notice if
something changes/breaks, resulting in a stale zone (or zones, depending
on what you choose to slave). I have always acknowledged that this is a
valid concern, just not one that I think overwhelms the virtues of doing
the slaving in the first place.

The method currently in comments in /etc/namedb/named.conf suggests
servers generously provided by ICANN that are dedicated to allowing AXFR
of various infrastructure zones. (Note, ICANN does not necessarily
endorse the idea of slaving these zones for resolvers, but I do have
their permission to include these servers in our named.conf.) That
alleviates one of the other criticisms of slaving these zones, as it
presents no load on the actual root servers at all.

So in short, this is an excellent idea, I've been doing it/recommending
it for years, and assuming you have the knowledge/ability to keep your
resolvers up to date (and/or you're tracking our named.conf where I do
it for you) then it's totally safe to do.


hth,

Doug

- -- 

	It's always a long day; 86400 doesn't fit into a short.

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M
hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA
qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB
5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH
F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE
nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ=
=EmJF
-----END PGP SIGNATURE-----


More information about the freebsd-questions mailing list