[dns-operations] New root AXFR service? (Was: Re: the thread of the week)

Doug Barton dougb at dougbarton.us
Thu Aug 2 22:54:23 UTC 2007

Paul Vixie wrote:
> some kind of AXFR-only service seems indicated.  we could put one
> up on in a few days if IANA asked for it.  (that's F+1
> as IP addresses go.)

It should come as no surprise that I think this is a great idea.

To take it a step further you could publish a TSIG key on the web
site, signed by the current BIND pgp signing key. This would obviously
not provide the same layer of authentication that DNSSEC would, but it
would protect against data that might be mangled in flight. (One could
also argue that this would be a bad thing because it would make a mitm
attack more legitimate looking to the naive eye, but my feeling is
that it's better to have it than not.) What requiring TSIG for the
transfer _would_ do is raise the required wizardry level quite a bit.

Throw in IXFR and you'll greatly reduce the required bandwidth for all
concerned (and avoid the meta-discussion about whether it's a good
thing to rev the serial on the root zone twice a day in the absence of
a real content change).

To raise the required wizardry level a little higher still, what I'm
currently thinking about is that rather than provide the commented out
example of how to do it (using whatever mechanism), I could provide
comments on where to go to find the instructions to do it. That way we
could ensure that anyone who moves forward with this at least has
enough clueballs in their pocket to follow instructions. It would also
allow me to provide more depth in terms of the pros and cons for doing
it than I can in the comments of the conf file.

Do you actually need David to make a formal request? Or is this
something you would consider doing if enough community members said
that it sounds like a good idea? (And no, the irony of that question
coming from me is not lost.)


    If you're never wrong, you're not trying hard enough

More information about the dns-operations mailing list