[dns-operations] FreeBSD and the slaving of the root zone

Simon Waters simonw at zynet.net
Thu Aug 2 14:09:33 UTC 2007

On Thursday 02 August 2007 14:46, David Malone wrote:
> I understand that it will continue to be limited to getting transfers
> from one server, but if you think that is actually likely to be a
> serious operational problem, then a BIND zone type that gets a NS
> list first and then does an AXFR from one of them could be devised.

Or it could get a transfer for a private list of servers.

As I said, once you accept slaving the root, you are not forced to get the 
root zone via AXFR, nor to make that AXFR from the root servers themselves. 
FreeBSD could easily offer such a service for its users.

Indeed AXFR is subject to attacks that a signed (by any trusted party who 
checked it) root zone is not liable to. 

i.e. RSYNC over SSH would notice a fingerprint change.

The only reason to use the root servers for the AXFR is because they are 
expected to offer that information. 

My personal vision was you would get the root zone from your ISP, or other 
group you have a contractual relationship with. This resolves the prime 
business issues with the root servers, relying on the kindness of strangers 
(or in some case friends). That might introduce a slight delay 
(minutes/hours) with new top level domains, but hey how many TLD domains 
spring into existence full of interesting new services?

More information about the dns-operations mailing list