[dns-operations] FreeBSD and the slaving of the root zone
paul at vix.com
Thu Aug 2 14:59:08 UTC 2007
> It never occurred to me to consider that you might have in mind
> restrictions for how people use the AXFR capability. In my mind, "open
> to AXFR" is "open," and the idea that you feel it _should_ be open
> for one purpose, but _should not_ be open for other purposes honestly
> never entered my mind. However Peter Losher responded in the thread on
> the FreeBSD list with basically the same statement you made, so
> obviously this idea is pretty deeply ingrained, at least at ISC.
it is possible to provision 120 servers to serve many million hosts by UDP.
so, we offer that as a production service. we know we can do it, and well.
it is not possible to provision 120 servers to serve even one million hosts
by TCP/53. there's no way to make this a reliable production service. the
impact of the mismatch will be felt in the clients, not the servers, but
no matter what, it won't be reliable. it's a diagnostic, use-at-own-risk.
no operating system should make this configuration a default.
More information about the dns-operations