From owner-freebsd-stable@FreeBSD.ORG Tue Jul 17 10:48:12 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BA5616A403 for ; Tue, 17 Jul 2007 10:48:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id EA10B13C4A8 for ; Tue, 17 Jul 2007 10:48:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d8a.q.ppp-pool.de [89.53.125.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A50E112883F; Tue, 17 Jul 2007 12:48:04 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 8257A3F43A; Tue, 17 Jul 2007 12:47:52 +0200 (CEST) Message-ID: <469C9E56.8070705@vwsoft.com> Date: Tue, 17 Jul 2007 12:47:50 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: "Heiko Wundram (Beenic)" References: <200707162319.41724.lofi@freebsd.org> <200707171005.37507.wundram@beenic.net> <469C835B.6090304@vwsoft.com> <200707171106.30795.wundram@beenic.net> In-Reply-To: <200707171106.30795.wundram@beenic.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-stable@freebsd.org Subject: FreeBSD violates RFC2870 [was: Re: Problems with named default configuration in 6-STABLE] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2007 10:48:12 -0000 On 07/17/07 11:06, Heiko Wundram (Beenic) wrote: > On Tuesday 17 July 2007 10:52:43 Volker wrote: >> >> Relying on a zone transfer doesn't seem to be reliable to me as more >> than half of the root servers doesn't reply to AXFR requests. > > I've heard pretty much the same thing as you did wrt. root name servers > denying AXFR, but as "it works" (TM), I don't see a reason not to use it. And > it seems that the author of the FreeBSD default named.conf thought likewise, > which is pretty okay with me (from the experience I gathered this morning). I've googled a bit. RFC 2870 says: 2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer, queries from clients other than other root servers. This restriction is intended to, among other things, prevent unnecessary load on the root servers as advice has been heard such as "To avoid having a corruptible cache, make your server a stealth secondary for the root zone." The root servers MAY put the root zone up for ftp or other access on one or more less critical servers. It's amusing, root servers B, C, F, G and K are operated by ignoring (read: violating) RFC2870 explicit requirements. Still want to be a slave of root servers while knowing it violates RFC2870 or at least uses a mechanism of root servers violating RFC2870? I've checked cvs for named.conf and yes, by default FreeBSD now will be a slave of the root zone by default. Which in fact means, FreeBSD uses something which is a violation of RFC2870 which is not guaranteed to work. Should it be that way? If an (experienced) admin is aware of the consequences of relying on an RFC violation, it's ok for the admin personally. But is it ok for the bunch of DNS noobs to rely on a thing which is not guaranteed to work? If, one day, this will not work anymore (as root servers refuse to AXFR), you will loose 100% connectivity and the noob will never know why he can't reach a single host on the internet. As I think having a default to hint root zone is better, I'll file a PR about that. Volker