root and in-addr.arpa zone transfers

Rich Goodson rgoodson at gronkulator.com
Fri Sep 11 14:13:15 UTC 2009


Slaving root is certainly not something I would recommend to everyone.  
In fact, I don't even use it on all of our name servers. I was just  
answering the question regarding how one would go about doing  
something rather than why or why not to do it.

Here is why I do it and why I'm fairly comfortable with it.
We have 6 geographically separated servers that are only used for  
recursive resolution for residential customers.  90% of the traffic to  
those boxes (about 30k queries per second, per machine, during peak  
hours) is crap.  Having a locally slaved root zone cuts down on the  
amount of crap we in turn forward out to the world (especially to the  
root servers).  Being able to answer (reject, in a way) these queries  
locally also helps save CPU cycles on boxes that run at around 75% of  
CPU capacity.

These are also boxes that are heavily monitored and that I am logged  
in to every day.

Insofar as extra load on the root servers is concerned, I think I am  
using far less root server resources by doing a few TCP connections  
that help me avoid sending tons of crap to them via UDP.

Like I said earlier.  Not something I would recommend for everyone,  
but it seems to work well for what I use it for.

-rich

On Sep 10, 2009, at 8:16 PM, Joseph S D Yao wrote:

> On Thu, Sep 10, 2009 at 11:27:27AM +0200, Michael Monnerie wrote:
>> On Mittwoch 09 September 2009 Rich Goodson wrote:
>>> zone "." {
>>> zone "arpa" {
>>> zone "in-addr.arpa" {
>>
>> Thank you Rich, and the others. Can anyone confirm that this is the  
>> way
>> to do? Or should I stay with ftp updates from the websites? Is  
>> there an
>> "officially supported" or "recommended" way to do this or that?
>
>
> RFC 2870, "Root Name Server Operational Requirements", says:
>
>   2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
>       queries from clients other than other root servers.  This
>       restriction is intended to, among other things, prevent
>       unnecessary load on the root servers as advice has been heard
>       such as "To avoid having a corruptible cache, make your server a
>       stealth secondary for the root zone."  The root servers MAY put
>       the root zone up for ftp or other access on one or more less
>       critical servers.
>
> You may take from that what you will.  It sounds like discouragement  
> to
> me.
>
> However, as M. Bortzmeyer has said, why do this?  I was doing it on a
> smaller internet, and came back to find that transfers for "." had  
> been
> turned off [but not in-addr.arpa [???]], and lookups were slowed down
> because they were looking at our local "root" first.  (It fixed itself
> "by magic" when I complained, but nobody else had thought to do that.)
>
>
> -- 
> / 
> *********************************************************************\
> **
> ** Joe Yao				jsdy at tux.org - Joseph S. D. Yao
> **
> \*********************************************************************/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>




More information about the bind-users mailing list