slave on per-zone basis only?

Pete Ehlke pde at
Sat Feb 23 19:05:09 UTC 2002

On Thu, Feb 21, 2002 at 08:28:18PM -0800, WebReactor Networks wrote:
> Could I avoid cache poisoning by setting the TTL on the SOA record to 0?
> This should keep the bogus root SOA from getting cached.  I certainly don't
> want to be destructive.  I tried this on a test server, and "dig
> @(test-server) . soa" comes back with a zero TTL.  I wanted your opinion
> before doing this on the Production server.
> Microsoft DNS installs as a root server by default; were many name servers
> vulnerable to cache poisoning for the root zone, then the problem would be
> encountered often, no?
Well, this question comes up here from time to time, and it's a subject
of some irritation on the djbdns list, where one frequent poster keeps
telling people to make their servers authoritative for '.' as part of a
scheme to avoid rfc2317, which he thinks is overly complex.

AFAICT, there is no RFC that explicity says that internet connected name
servers MUST NOT or SHOULD NOT claim authority over zones that are explicitly
delegated to other servers, but I've yet to find a situation in which
it's not an ugly hack. My original point stands: there are servers out
there in the world that you *will* sooner or later poison if you claim
authority for '.'. And some of them may refuse to believe your TTL of
zero- ISTR some versions of BIND itself doing this. The bottom line is
that claiming authority over '.', though not expressly forbidden, is a
dodgy proposition that simply saves you a (very) little work at the
expense of breaking other people's servers. Syncing your servers' conf
files isn't terribly hard; the perl to convert a master file into a
slave file is dead easy, as is the perl to generate both from one
source. You can even do what some of us here do- create a special zone
containing only TXT records on a hidden master, and have scripts on your
public facing servers parse that zone and create their conf files based
on it.

As for your comment about M$DNS: Microsoft machines do a lot of things
wrong by default, and Microsoft have yet to demonstrate that they
understand and care about the correct and efficient operation of the
DNS. I certainly hope that you're not arguing that the way M$ do things
is to be used as an example or blueprint for operating hosts on the


More information about the bind-users mailing list