[dns-operations] FreeBSD and the slaving of the root zone

Paul Vixie paul at vix.com
Thu Aug 2 14:59:08 UTC 2007

> It never occurred to me to consider that you might have in mind
> restrictions for how people use the AXFR capability. In my mind, "open
> to AXFR" is "open," and the idea that you feel it _should_  be open
> for one purpose, but _should not_ be open for other purposes honestly
> never entered my mind. However Peter Losher responded in the thread on
> the FreeBSD list with basically the same statement you made, so
> obviously this idea is pretty deeply ingrained, at least at ISC.

it is possible to provision 120 servers to serve many million hosts by UDP.
so, we offer that as a production service.  we know we can do it, and well.

it is not possible to provision 120 servers to serve even one million hosts
by TCP/53.  there's no way to make this a reliable production service.  the
impact of the mismatch will be felt in the clients, not the servers, but 
no matter what, it won't be reliable.  it's a diagnostic, use-at-own-risk.

no operating system should make this configuration a default.

More information about the dns-operations mailing list