From owner-freebsd-current@FreeBSD.ORG Wed Aug 1 20:32:45 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2301516A46D for ; Wed, 1 Aug 2007 20:32:45 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with SMTP id CAA7113C459 for ; Wed, 1 Aug 2007 20:32:44 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 19869 invoked by uid 399); 1 Aug 2007 20:32:44 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTP; 1 Aug 2007 20:32:44 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <46B0EDEA.8050608@FreeBSD.org> Date: Wed, 01 Aug 2007 13:32:42 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.5 (X11/20070723) MIME-Version: 1.0 To: FreeBSD Current , FreeBSD Stable References: <46B01D5E.6050004@psg.com> <20070801110727.GC59008@menantico.com> In-Reply-To: <20070801110727.GC59008@menantico.com> X-Enigmail-Version: 0.95.1 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: default dns config change causing major poolpah X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 20:32:45 -0000 Replying en masse to bring related thoughts together. It was already posted, but a more complete treatment of my reasoning is found at: http://lists.oarci.net/pipermail/dns-operations/2007-August/001856.html Skip Ford wrote: > Randy Bush wrote: >> the undiscussed and unannounced change to the default dns config >> to cause local transfer of the root and arpa zone files has >> raised major discussing in the dns operational community. (see >> the mailing list dns-operations@mail.oarc.isc.org). >> >> did i miss the discussion here? > > No. There was none. > >> i have spent some hours turning off the default bind and going >> custom on a dozen or so machines around the planet. i am not >> happy. Randy, You might make your life a little easier by checking out src.conf(1) in 7-current and make.conf(1) in 6-stable which both document the various NO_BIND_* knobs that are available. What you probably want is NO_BIND_ETC. > I don't have an axe to grind. I don't run the default config on > any of my 2 dozen name servers (not all of which run bind anyway) > so I wasn't really affected by the change. > > However, I thought it was a really, really, terrible idea, You're entitled to your opinion. If you take a look at the thread on the dns-operations list you'll see that there are a lot of really smart people lined up on both sides of this argument. > and a rather rude act considering it relies on the charity of > others to not break. The same can be said of the root server network in general. > There is no requirement that FreeBSD users be permitted to slave > the roots. Everyone who uses the default config can have their > setups broken the day after installation. The root server operators do not make changes in this kind of abrupt fashion. > We never asked permission to use the resources of others in this > way, and they're not required to allow us to do so. Once again, the same is true of resolution from the root servers as well. > The original commit message for the change indicated it was done to > bring us in line with "current best practices" but that commit > message is the only place I have ever seen anyone say that slaving > the roots is current best practice. The BCP comment you're referring to was in regards to the default localhost zone generation which is not in any way related. Please see: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf Heiko Wundram (Beenic) wrote: > Am Mittwoch 01 August 2007 13:07:27 schrieb Skip Ford: >> > > You might want to check the thread starting with: > > <200707162319.41724.lofi@freebsd.org> ("Problems with named default > configuration in 6-STABLE") Easier for most folks to access this by: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=207558+0+archive/2007/freebsd-stable/20070722.freebsd-stable That thread involved an issue of resolving local zones that could not be resolved because of a combination of slaving the root zone and the new default empty reverse zones for RFC 1918 space; and how that interacted with the forwarders clause that user had in his config. Dag-Erling Smørgrav wrote: > This is about on par with > selling SOHO routers that synchronize their clocks using stratum-1 > NTP servers. I don't really think that analogy holds up, given that those who run public stratum-1 NTP servers specifically request that individual hosts not sync from them. The root server operators have a choice of whether to enable AXFR or not. Also, that configuration could not be changed, but named.conf can be changed easily. If there is a consensus based on solid technical reasons (not emotion or FUD) to back the root zone slaving change out, I'll be glad to do so. I think it would be very useful at this point if those who _like_ the change would speak up publicly as well. Regards, Doug -- This .signature sanitized for your protection