[dns-operations] FreeBSD and the slaving of the root zone
michael at rancid.berkeley.edu
Thu Aug 2 17:33:31 UTC 2007
Roland Dobbins wrote:
> On Aug 2, 2007, at 4:04 AM, Doug Barton wrote:
>> FWIW, I sent messages today to the operators of all 5 axfr'able roots
>> asking if they would like to be removed from the FreeBSD named.conf.
> The issue isn't about the roots, per se. The issue is about making a
> radical change to default behavior without any kind of wider
> consultation with the operational community.
> Sysadmins don't like this kind of change being thrust upon them as a
> default, and the last place they expect to see something of this sort
> is FreeBSD. Please back these changes out of FreeBSD.
While I agree that the default change should be backed out, those
sysadmins who use mergemaster--the prescribed method of updating
configuration files in FreeBSD--will not have a change like this "thrust
upon them." mergemaster provides a mechanism for diffing new
configuration files with existing ones and allows the sysadmin to
interactively merge new configuration bits, and sysadmins can opt not to
merge bits in. So I don't agree that this change has been "thrust upon"
The problem is the people who run caching nameservers on their own
workstations and copy new config files wholesale. They are the least
likely to benefit from slaving the root zone and they are the most
likely to unwittingly adopt it under this model. Likewise, people who
would have installed 6.3-RELEASE or 7.0-RELEASE, neither of which has
yet been released, under the change (before Doug backed it out) *and*
who turn on named, *and* don't check the config to make sure it's what
they want, will also unwittingly slave the root zone. Now that Doug is
backing out the change, this is no longer an issue, as 6.3 and 7.0
haven't been released yet.
Finally, the fact that this was made part of the default config implies
a consensus that (clearly) doesn't exist; namely, that this is a good
thing to do universally for caching nameservers.
So I agree that the change should be backed out, but not because it was
thrust upon sysadmins.
More information about the dns-operations