Date: Tue, 17 Jul 2007 12:47:50 +0200 From: Volker <volker@vwsoft.com> To: "Heiko Wundram (Beenic)" <wundram@beenic.net> Cc: freebsd-stable@freebsd.org Subject: FreeBSD violates RFC2870 [was: Re: Problems with named default configuration in 6-STABLE] Message-ID: <469C9E56.8070705@vwsoft.com> In-Reply-To: <200707171106.30795.wundram@beenic.net> References: <200707162319.41724.lofi@freebsd.org> <200707171005.37507.wundram@beenic.net> <469C835B.6090304@vwsoft.com> <200707171106.30795.wundram@beenic.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/17/07 11:06, Heiko Wundram (Beenic) wrote:
> On Tuesday 17 July 2007 10:52:43 Volker wrote:
>> <snip>
>> Relying on a zone transfer doesn't seem to be reliable to me as more
>> than half of the root servers doesn't reply to AXFR requests.
>
> I've heard pretty much the same thing as you did wrt. root name servers
> denying AXFR, but as "it works" (TM), I don't see a reason not to use it. And
> it seems that the author of the FreeBSD default named.conf thought likewise,
> which is pretty okay with me (from the experience I gathered this morning).
I've googled a bit. RFC 2870 says:
2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
queries from clients other than other root servers. This
restriction is intended to, among other things, prevent
unnecessary load on the root servers as advice has been heard
such as "To avoid having a corruptible cache, make your server a
stealth secondary for the root zone." The root servers MAY put
the root zone up for ftp or other access on one or more less
critical servers.
It's amusing, root servers B, C, F, G and K are operated by ignoring
(read: violating) RFC2870 explicit requirements. Still want to be a
slave of root servers while knowing it violates RFC2870 or at least
uses a mechanism of root servers violating RFC2870?
I've checked cvs for named.conf and yes, by default FreeBSD now will
be a slave of the root zone by default. Which in fact means, FreeBSD
uses something which is a violation of RFC2870 which is not guaranteed
to work. Should it be that way?
If an (experienced) admin is aware of the consequences of relying on
an RFC violation, it's ok for the admin personally. But is it ok for
the bunch of DNS noobs to rely on a thing which is not guaranteed to
work? If, one day, this will not work anymore (as root servers refuse
to AXFR), you will loose 100% connectivity and the noob will never
know why he can't reach a single host on the internet.
As I think having a default to hint root zone is better, I'll file a
PR about that.
Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?469C9E56.8070705>