DNS - slaving the root zone
ml at my.gd
Sat Feb 18 11:23:40 UTC 2012
On 2/18/12 12:57 AM, Doug Barton wrote:
> To clarify, almost universally the opposition to the idea centers around
> the problems of users who enable this method, and then don't notice if
> something changes/breaks, resulting in a stale zone (or zones, depending
> on what you choose to slave). I have always acknowledged that this is a
> valid concern, just not one that I think overwhelms the virtues of doing
> the slaving in the first place.
Could you elaborate on the "something changes/breaks, admin doesn't
notice, results in a stale zone" bit ?
I fail to see the circumstances under which that could happen.
> The method currently in comments in /etc/namedb/named.conf suggests
> servers generously provided by ICANN that are dedicated to allowing AXFR
> of various infrastructure zones. (Note, ICANN does not necessarily
> endorse the idea of slaving these zones for resolvers, but I do have
> their permission to include these servers in our named.conf.) That
> alleviates one of the other criticisms of slaving these zones, as it
> presents no load on the actual root servers at all.
> So in short, this is an excellent idea, I've been doing it/recommending
> it for years, and assuming you have the knowledge/ability to keep your
> resolvers up to date (and/or you're tracking our named.conf where I do
> it for you) then it's totally safe to do.
Indeed, been deleting the traditional hint file based . zone for a while
and using the slaving mechanism for over a year already, works fine
enough for us.
You have me somewhat worried with the bit about something breaking
though, thus the call for details ;)
More information about the freebsd-questions