Date: Mon, 27 Jan 2003 00:12:48 +0100 (CET) From: Marc Schneiders <marc@schneiders.org> To: Barney Wolff <barney@pit.databus.com> Cc: <freebsd-stable@FreeBSD.ORG> Subject: Re: 4.7-R-p3: j.root-servers.net Message-ID: <20030127000536.O27492-100000@voo.doo.net> In-Reply-To: <20030126230257.GA62541@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 26 Jan 2003, at 18:02 [=GMT-0500], Barney Wolff wrote: > On Sun, Jan 26, 2003 at 11:48:00PM +0100, Marc Schneiders wrote: > > > > A more permanent solution is to run secondary for root. This has > > several advantages. One being speed. The root data will be on your > > machine and automatically refreshed every 30 minutes (only when there > > are changes, so no useless traffic) by AXFR. If there is another DDoS > > attack on the root-servers, you won't suffer from it, for you have the > > data yourself. And they don't change much. > > This strikes me as a Really Bad Idea. It increases the load on the roots > that you target, Prove this. It is only true of your nameserver doesn't do anything or much. If it is busy, it will actually mean less load on the rootserver(s). For there will be no traffic for the many non-existing top level domains that originate in typos. Your own machine will give the NXDomain amswer. > and leaves you high and dry if those roots decide to > deny zone transfers, This would be true for any other automatic method. That is why I suggest to put in all three IP numbers. > as they should. Opinions differ on this. Since DNS-guru Paul Vixie still lets us AXFR from his rootserver (F). it cannot be that bad. > The TTLs returned by the roots are > plenty long enough to provide a cushion for any outages, and if the roots > are truly gone longer than that, the whole Internet will not be working. There are two issues, which you are mixing up. Speed will always be better when you secondary root. Security will not be much better, but just a little. > As has been amply pointed out, named will learn the current roots if even > one root that it knows about is correct and functioning. This is a > complete non-issue. I am not saying, that hints does not work. Just that there is an aletrnative method, which I and others prefer. Do not pretend there is consensus about this among DNS people. > And of course, using the "alternate" roots is evil. I knew you were a religious person. -- [01] All ideas are vintage not new or perfect. http://logoff.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030127000536.O27492-100000>