[dns-operations] New root AXFR service?

Mark Andrews Mark_Andrews at isc.org
Fri Aug 3 02:45:46 UTC 2007

> Paul Vixie wrote:
> > some kind of AXFR-only service seems indicated.  we could put one
> > up on in a few days if IANA asked for it.  (that's F+1
> > as IP addresses go.)
> Doug Barton <dougb at dougbarton.us> wrote:
> > It should come as no surprise that I think this is a great idea.
> i have since reconsidered.  the session descriptor logic in RFC 1035 makes
> TCP/53 a very fragile service, suitable for DNS QUERY from unpredictable
> parties or for DNS AXFR from predictable parties but not for DNS AXFR from
> unpredictable parties.
> > Do you actually need David to make a formal request? Or is this
> > something you would consider doing if enough community members said
> > that it sounds like a good idea? (And no, the irony of that question
> > coming from me is not lost.)
> i think that in the best of all possible worlds, somebody would write an RFC
> and IANA would solicit volunteers and ISC would certainly be a volunteer.  bu
> t
> the RFC would either have to specify that the descriptor pool for AXFR-only
> is "don't drop old sessions unless they time out, even if it means ignoring
> new TCP SYNs", or it would specify RSYNC or some other protocol for transport
> .

	Taking advice from the HTTP world:

	accept filter + IXFR/AXFR only + 1 transaction per connection.

	IXFR removes the need to multiple transactions.

	AXFR is required for the initial transfer of the zone.

	accept filter, tailored for DNS, so that we don't do through
	descriptors at a amazing rate waiting for the query to arrive.

	The accept filter could even be tuned to only allow AXFR/IXFR
	and listed zones.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list