Date: Tue, 17 Jul 2007 11:29:54 GMT From: Volker Werth <volker@vwsoft.com> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/114652: [patch] FreeBSD relies on root zone transfer AXFR Message-ID: <200707171129.l6HBTsqi069677@www.freebsd.org> Resent-Message-ID: <200707171130.l6HBU1JM073543@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 114652
>Category: conf
>Synopsis: [patch] FreeBSD relies on root zone transfer AXFR
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 17 11:30:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Volker Werth
>Release: 6-STABLE
>Organization:
>Environment:
>Description:
FreeBSD does a root zone transfer from DNS root servers in it's default configuration.
RFC2870 says:
2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
queries from clients other than other root servers. This
restriction is intended to, among other things, prevent
unnecessary load on the root servers as advice has been heard
such as "To avoid having a corruptible cache, make your server a
stealth secondary for the root zone." The root servers MAY put
the root zone up for ftp or other access on one or more less
critical servers.
Per RFC, this means it's not guaranteed to get a root zone transfer (AXFR/IXFR) working. Just 5 out of 13 DNS root servers currently support AXFR requests. If these 5 DNS root servers will deny AXFR requests sometime in the future, FreeBSD machines may loose connectivity by not getting DNS queries to work.
A change in the default configuration (see patch below) will make the root zone of type hint and make FreeBSD get DNS to work reliable and guaranteed. For the experienced DNS admin, there's always the way to change to zone transfer if he's willing to use that. For the inexperienced DNS user, making the default configuration work reliable, should be best.
>How-To-Repeat:
fresh install or have mergemaster setting named.conf to a default configuration
>Fix:
--- named.conf.orig Tue Jul 17 13:09:58 2007
+++ named.conf Tue Jul 17 13:14:21 2007
@@ -65,11 +65,15 @@
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
+ NOTE:
+ relying on zone transfer of the root zone is not guaranteed
+ to work (see RFC2870, 2.7). Be aware of the consequences if you enable
+ your resolver being a slave of the root zone! Also your firewall
+ must allow 53/tcp to pass out (statefully or in and out).
If you do not wish to slave these zones from the root servers
use the entry below instead.
zone "." { type hint; file "named.root"; };
-*/
zone "." {
type slave;
file "slave/root.slave";
@@ -82,6 +86,10 @@
};
notify no;
};
+*/
+
+zone "." { type hint; file "named.root"; };
+
zone "arpa" {
type slave;
file "slave/arpa.slave";
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707171129.l6HBTsqi069677>