default dns config change causing major poolpah

Doug Barton dougb at
Wed Aug 1 20:32:45 UTC 2007

Replying en masse to bring related thoughts together. It was already
posted, but a more complete treatment of my reasoning is found at:

Skip Ford wrote:
> Randy Bush wrote:
>> the undiscussed and unannounced change to the default dns config
>>  to cause local transfer of the root and arpa zone files has 
>> raised major discussing in the dns operational community. (see 
>> the mailing list dns-operations at
>> did i miss the discussion here?
> No.  There was none.
>> i have spent some hours turning off the default bind and going 
>> custom on a dozen or so machines around the planet.  i am not 
>> happy.


You might make your life a little easier by checking out src.conf(1)
in 7-current and make.conf(1) in 6-stable which both document the
various NO_BIND_* knobs that are available. What you probably want is

> I don't have an axe to grind.  I don't run the default config on 
> any of my 2 dozen name servers (not all of which run bind anyway) 
> so I wasn't really affected by the change.
> However, I thought it was a really, really, terrible idea,

You're entitled to your opinion. If you take a look at the thread on
the dns-operations list you'll see that there are a lot of really
smart people lined up on both sides of this argument.

> and a rather rude act considering it relies on the charity of 
> others to not break.

The same can be said of the root server network in general.

> There is no requirement that FreeBSD users be permitted to slave 
> the roots.  Everyone who uses the default config can have their 
> setups broken the day after installation.

The root server operators do not make changes in this kind of abrupt

> We never asked permission to use the resources of others in this
> way, and they're not required to allow us to do so.

Once again, the same is true of resolution from the root servers as well.

> The original commit message for the change indicated it was done to
>  bring us in line with "current best practices" but that commit 
> message is the only place I have ever seen anyone say that slaving 
> the roots is current best practice.

The BCP comment you're referring to was in regards to the default
localhost zone generation which is not in any way related. Please see:

Heiko Wundram (Beenic) wrote:
> Am Mittwoch 01 August 2007 13:07:27 schrieb Skip Ford:
>> <snip>
> You might want to check the thread starting with:
> <200707162319.41724.lofi at> ("Problems with named default
> configuration in 6-STABLE")

Easier for most folks to access this by:

That thread involved an issue of resolving local zones that could not
be resolved because of a combination of slaving the root zone and the
new default empty reverse zones for RFC 1918 space; and how that
interacted with the forwarders clause that user had in his config.

Dag-Erling Smørgrav wrote:

> This is about on par with <unnamed network equipment manufacturer> 
> selling SOHO routers that synchronize their clocks using stratum-1
> NTP servers. 

I don't really think that analogy holds up, given that those who run
public stratum-1 NTP servers specifically request that individual
hosts not sync from them. The root server operators have a choice of
whether to enable AXFR or not. Also, that configuration could not be
changed, but named.conf can be changed easily.

If there is a consensus based on solid technical reasons (not emotion
or FUD) to back the root zone slaving change out, I'll be glad to do
so. I think it would be very useful at this point if those who _like_
the change would speak up publicly as well.




    This .signature sanitized for your protection

More information about the freebsd-stable mailing list