[dns-operations] FreeBSD and the slaving of the root zone

Mark Andrews Mark_Andrews at isc.org
Fri Aug 3 11:55:06 UTC 2007


> * Mark Andrews wrote:
> >> 	1) Resolvers usually only ask for records they know about.
> >> 	What happens if they AXFR from the root and it contains
> >> 	records they don't understand?
> >
> > 	See RFC 3597, Handling of Unknown DNS Resource Record (RR) Types.
> 
> Mircosoft DNS Server on Windows 2003 does understand DNAME, but handle it in
> the wrong way (failing to parse and concluding to SERVFAIL). There is a
> hotfix (only available via Mircosoft Partners on explicit request) which
> changes the DNAME code number to an experimental one in the parser code.

	Windows 2003 knows about DNAME.  They misimplemented it.
	Stuff happens.  It would be good it you didn't have to ask
	for the "hotfix".
 
> Other applications, like qmail, assume every DNS packet to fit into 512
> bytes and do only provide such a buffer, while ignoring the truncation flag.
> Sending mail to DNSSEC domains fails with "Temporary CNAME error".

	qmail is broken then.  Failure to follow RFC 1034/1035.

> *.GTLD-SERVERS.NET did not respond to EDNS0 queries at all until a few
> months ago.

	No.  They responded to EDNS queries.
 
> Summary: This world contains a lot of broken software.

	Firstly the GTLD servers were *not* broken.

	Secondly broken software gets fixed.
 
> >>         3) If someone screws up the serial number of the root zone,
> >>         there could be an interesting mess to clean up.
> >
> > 	What mess?  Serial numbers roll over.
> 
> A lot of "home brew" software authors do not understand the serial number
> arithmetics and count it senseless, because in the rare case of problems you
> have to contact your administrator anyway. Therefore there is a lot of
> simple minded comparation code out there. (even several of my scripts.)

	All the current DNS nameserver vendors do this right.
 
> >>         4) Are there sensible values for expire, retry and refresh
> >>         if this scheme was in use? How often should the serial
> >>         number really be incremented?
> >
> > 	The first thing is to only change the serial when it needs
> > 	to be changed and not twice daily.
> 
> We are going to sign the root, changes will occur nearly daily.
> (I do have an average of serial increments every two days at my signed root)

	That's fine.  It's changing as there is a change to zone content.
 
> For COM the classical IXFR and AXFR distribution mechanisms are not
> applicable at all. Other TLDs share the same problem.

	We were talking about the root.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list