[dns-operations] FreeBSD and the slaving of the root zone

Michael Sinatra michael at rancid.berkeley.edu
Tue Jul 31 20:20:07 UTC 2007

John Kristoff wrote:
> On Tue, 31 Jul 2007 11:28:12 +0200
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> Pierre Beyssac noticed that FreeBSD default configuration is now to
>> slave the root zone from the root name servers who accept it:
>> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf
> My reading of RFC 4085 strongly advises against just this sort of
> thing.  The case history that lead to publication of that RFC
> suggests a strong argument against this change.
>   <http://www.ietf.org/rfc/rfc4085.txt>

Not sure I agree with that.

Is it the case that by your interpretation of RFC4085, specifying the 
root zone master servers by DNS name, rather than IP address, would 
solve the requirements of RFC4085?  In fact, your interpretation of 
RFC4085 appears to argue against the specification of zone masters as IP 
addresses in *any* slave zone.  That's currently not possible in BIND; 
does RFC4085 argue for changing the BIND functionality?

I think not, since zone masters may be referenced by DNS names in the 
zone for which they're master, and you would have a chicken-and-egg 
problem as you tried to load the zone.  Moreover, you have to hard-code 
at least one IP address in any nameserver; the root hints file does just 
that.  I don't see how having a root hints file alleviates the 
requirements of a strict interpretation of RFC4085.

I think there are plenty of reasons NOT to have ordinary caching servers 
slave the root zone, and specifying configuration files that make this 
the default operation might be considered harmful.  Or is that actually 
your point and have I missed it by focusing on the hardcoded-IP-address 
prohibitions of RFC4085 and not the more general "don't distribute 
configs to a large set of devices that may have detrimental effects on 
infrastructure if deployed en masse"?


More information about the dns-operations mailing list