[dns-operations] FreeBSD and the slaving of the root zone

Michael Sinatra michael at rancid.berkeley.edu
Thu Aug 2 17:33:31 UTC 2007


Roland Dobbins wrote:
> On Aug 2, 2007, at 4:04 AM, Doug Barton wrote:
> 
>> FWIW, I sent messages today to the operators of all 5 axfr'able roots
>> asking if they would like to be removed from the FreeBSD named.conf.
> 
> The issue isn't about the roots, per se.  The issue is about making a  
> radical change to default behavior without any kind of wider  
> consultation with the operational community.
> 
> Sysadmins don't like this kind of change being thrust upon them as a  
> default, and the last place they expect to see something of this sort  
> is FreeBSD.  Please back these changes out of FreeBSD.

While I agree that the default change should be backed out, those 
sysadmins who use mergemaster--the prescribed method of updating 
configuration files in FreeBSD--will not have a change like this "thrust 
upon them."  mergemaster provides a mechanism for diffing new 
configuration files with existing ones and allows the sysadmin to 
interactively merge new configuration bits, and sysadmins can opt not to 
merge bits in.  So I don't agree that this change has been "thrust upon" 
_clueful_ sysadmins.

The problem is the people who run caching nameservers on their own 
workstations and copy new config files wholesale.  They are the least 
likely to benefit from slaving the root zone and they are the most 
likely to unwittingly adopt it under this model.  Likewise, people who 
would have installed 6.3-RELEASE or 7.0-RELEASE, neither of which has 
yet been released, under the change (before Doug backed it out) *and* 
who turn on named, *and* don't check the config to make sure it's what 
they want, will also unwittingly slave the root zone.  Now that Doug is 
backing out the change, this is no longer an issue, as 6.3 and 7.0 
haven't been released yet.

Finally, the fact that this was made part of the default config implies 
a consensus that (clearly) doesn't exist; namely, that this is a good 
thing to do universally for caching nameservers.

So I agree that the change should be backed out, but not because it was 
thrust upon sysadmins.

michael




More information about the dns-operations mailing list