Removing root zone hints for authoritative nameservers
wsanders at gmail.com
Tue Feb 14 22:21:20 UTC 2006
I have just inherited the management of a couple of authoritative
nameservers. We're authoritative for about 1000 zones, and we still
have hints for the root zone, I guess since the beginning of time. I'm
finding that 6 million of our 9 million queries per day are getting
"referral" responses from our server, meaning we are sending the root
zone data back in response to a query for a zone we aren't
authoritative for. Presumably this is because someone out there has my
servers in their resolv.conf?
I tested a Solaris and a Linux resolver, and those resolvers cannot
resolve zones that are not ours if I put our servers in the
resolv.conf. Are there some resolvers out there, or forwarders, that
might be set to our servers, and still be behaving correctly?
ISC recommends "removing the root zone hints for authoritative-only
nameservers" so clients receive a SERVFAIL instead of a referral. Has
anyone done this and survived to tell the tale? Is there any possible
reason why we would be getting and sending referral responses, other
than client's misconfigurations?
The real reason I ask is because we are thinking of outsourcing to
UltraDNS or an equivalent. Unfortunately, UltraDNS bills for all
queries, bogus or not. If we can somehow reduce the 75% of our queries
that are bogus (we get an additional 15% or so queries that result in
NXRRSET and NXDOMAIN responses) UltraDNS would be affordable.
More information about the bind-users