[dns-operations] FreeBSD and the slaving of the root zone
Michael Sinatra
michael at rancid.berkeley.edu
Tue Jul 31 20:20:07 UTC 2007
John Kristoff wrote:
> On Tue, 31 Jul 2007 11:28:12 +0200
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
>> Pierre Beyssac noticed that FreeBSD default configuration is now to
>> slave the root zone from the root name servers who accept it:
>>
>> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf
>
> My reading of RFC 4085 strongly advises against just this sort of
> thing. The case history that lead to publication of that RFC
> suggests a strong argument against this change.
>
> <http://www.ietf.org/rfc/rfc4085.txt>
Not sure I agree with that.
Is it the case that by your interpretation of RFC4085, specifying the
root zone master servers by DNS name, rather than IP address, would
solve the requirements of RFC4085? In fact, your interpretation of
RFC4085 appears to argue against the specification of zone masters as IP
addresses in *any* slave zone. That's currently not possible in BIND;
does RFC4085 argue for changing the BIND functionality?
I think not, since zone masters may be referenced by DNS names in the
zone for which they're master, and you would have a chicken-and-egg
problem as you tried to load the zone. Moreover, you have to hard-code
at least one IP address in any nameserver; the root hints file does just
that. I don't see how having a root hints file alleviates the
requirements of a strict interpretation of RFC4085.
I think there are plenty of reasons NOT to have ordinary caching servers
slave the root zone, and specifying configuration files that make this
the default operation might be considered harmful. Or is that actually
your point and have I missed it by focusing on the hardcoded-IP-address
prohibitions of RFC4085 and not the more general "don't distribute
configs to a large set of devices that may have detrimental effects on
infrastructure if deployed en masse"?
michael
More information about the dns-operations
mailing list