DNS - slaving the root zone

[Doug Barton]

On 02/18/2012 03:23, Damien Fleuriot wrote:
> 
> On 2/18/12 12:57 AM, Doug Barton wrote:
>>
>> To clarify, almost universally the opposition to the idea centers around
>> the problems of users who enable this method, and then don't notice if
>> something changes/breaks, resulting in a stale zone (or zones, depending
>> on what you choose to slave). I have always acknowledged that this is a
>> valid concern, just not one that I think overwhelms the virtues of doing
>> the slaving in the first place.
>>
> 
> Could you elaborate on the "something changes/breaks, admin doesn't
> notice, results in a stale zone" bit ?

Most commonly whatever auth. server the user is axfr'ing from suddenly
stops offering that ability.

> I fail to see the circumstances under which that could happen.

I tend to agree, which is why I weight this particular objection pretty
low. If you don't notice failed axfrs, you've already got deeper
problems. :)

To be fair however, there are a lot of people who believe (rightly or
wrongly) that resolving DNS should be a "fire and forget" service. Those
of us who do this for a living know that this was never true, and DNSSEC
makes that even less true. However, if you happen to be one of those
people, this method is not for you.

> Indeed, been deleting the traditional hint file based . zone for a while
> and using the slaving mechanism for over a year already, works fine
> enough for us.

I'm glad to hear that. Makes me feel that my efforts in this area have
been worthwhile.

> You have me somewhat worried with the bit about something breaking
> though, thus the call for details ;)

Understood. You don't seem to be the type of operator who is likely to
run afoul here, FWIW.


Doug

-- 

	It's always a long day; 86400 doesn't fit into a short.

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/