Date: Tue, 28 Jan 2003 00:01:05 -0800 (PST) From: Doug Barton <DougB@FreeBSD.org> To: freebsd-stable@FreeBSD.org Subject: Re: 4.7-R-p3: j.root-servers.net Message-ID: <20030127232009.D11130@12-234-22-23.pyvrag.nggov.pbz> In-Reply-To: <20030125221725.GA416@gicco.homeip.net> References: <20030125221725.GA416@gicco.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 25 Jan 2003, Hanspeter Roth wrote:
> Hello,
>
> I have installed 4.7-RELEASE-p3.
> /etc/namedb/named.root has the following version
> $FreeBSD: src/etc/namedb/named.root,v 1.9 1999/09/13 17:09:08 peter Exp $
>
> This has an obsolete j.root-servers.net.
> I think I've executed mergemaster.
> Are such changes not reflected when sticking with RELENG_4_7?
Your final question was already answered. I think that given all the heat
this subject has generated, a little light is in order.
1. The root zone had not changed for _years_ before this change.
2. The old j.root will continue to answer for a long time.
3. Your name server only needs ONE valid root server in the hints file
when it starts, since updating its internal view of the root zone is one
of the first things it does.
4. When your server does update its . zone, the NS records are cached
for 6 days, and the A records are cached for 5w6d16h (almost 6 weeks).
5. When you boot BIND 8.3.[34], it tells you if your hints file is out of
date once it's updated its cache.
Given this information, all the fuss about "regularly" updating your hints
file is fairly pointless.
As for making your local resolver a slave for the root zone, that
suggestion has some merit, but not because of anything having to do with
the root.hints file. Most resolvers are only ever going to query a few
TLD's, and most TLD NS records are cached for 2 days, or more.
IF you're going to slave the root zone, make sure to do something like
this:
zone "." {
type slave;
file "slave/root.slave";
masters {
128.9.0.107; // B.ROOT-SERVERS.NET.
192.33.4.12; // C.ROOT-SERVERS.NET.
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
Take special note of the 'notify no;' statement. When a name server first
starts up, by default it sends out notifies for all its zones. This would
be a bad thing in this case. Also, try not to have all of the resolvers on
your network slave the zone. It would be better to have one server do it,
then slave it to the rest from there.
Hope this helps,
Doug
--
If it's moving, encrypt it. If it's not moving, encrypt
it till it moves, then encrypt it some more.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030127232009.D11130>