[dns-operations] FreeBSD and the slaving of the root zone

Blacka, David davidb at verisign.com
Thu Aug 2 15:17:01 UTC 2007


David Malone wrote:
>> BIND and some other caching resolvers generally only use the root hints
>> for "priming" (or, perhaps, more accurately, they use the root hints
>> only until priming is complete).  With priming, you only actually need
>> to have one of the 13 IP addresses correct in the hints file.  After (at
>> most) 12 priming attempts, the resolver will get the current set of root
>> servers and be on its merry way.
> 
>> So, in this sense, the root hints method is significantly more robust
>> than slaving the root.
> 
> Surely the same would be true of BIND listing 13 master IPs for the
> root zone? If one works, then the resolver will still get its zone
> transfer and everything continutes to work (unless that server is
> unavailable for longer than the expire time, in which case the hints
> case would be pretty busted too).

True.  However, I would expect the root hints using resolver to query
the bad IPs only once per restart (assuming that it could re-prime using
the previous priming data), whereas the slaving resolver would query
those broken IPs for every refresh.

> I understand that it will continue to be limited to getting transfers
> from one server, but if you think that is actually likely to be a
> serious operational problem, then a BIND zone type that gets a NS
> list first and then does an AXFR from one of them could be devised.

I'm not sure why the query would be for NS, but being able to specify
the master(s) by name instead of IP would be useful in this case.

-- 
David Blacka                          <davidb at verisign.com>
Sr. Engineer    VeriSign Infrastructure Product Engineering
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5033 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070802/fbaa37fa/attachment.bin>


More information about the dns-operations mailing list