root and in-addr.arpa zone transfers

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Sep 11 15:11:38 UTC 2009 

On 11.09.09 09:13, Rich Goodson wrote:
> Slaving root is certainly not something I would recommend to everyone.  
> In fact, I don't even use it on all of our name servers. I was just  
> answering the question regarding how one would go about doing something 
> rather than why or why not to do it.
>
> Here is why I do it and why I'm fairly comfortable with it.
> We have 6 geographically separated servers that are only used for  
> recursive resolution for residential customers.  90% of the traffic to  
> those boxes (about 30k queries per second, per machine, during peak  
> hours) is crap.  Having a locally slaved root zone cuts down on the  
> amount of crap we in turn forward out to the world (especially to the  
> root servers).  Being able to answer (reject, in a way) these queries  
> locally also helps save CPU cycles on boxes that run at around 75% of  
> CPU capacity.

Yesterdey I read (again, first time a ~year ago) the whole (hopefully)
thread and I'll try to summarize what I've remembered:

- too many "." slaves can cause overload of root nameservers - it's much
  easier to handle many UDP requests than a few TCP requests.

- it's not good to have that by default. There are many DNS recursive
  servers in the world (I'd say most) that only have a few clients, and are
  not generating enough of traffic so they wouldn't spare anything but it
  could overload root servers.

- if you have enough of different clients (which appears to be your case),
  it's apparently acceptable for you to slave the root zone, although it's
  recommended not to do from all of your servers. Local axfr hierarchy could
  do that.

- the crap sent to TLD servers (yes, there's much of it but they can handle
  it) changes at time and their operators are finding reasons what's
  happening and contacting companies that are responsible for it.

- only a few roots allow AXFR of root zone, despite RFC discourages that.
  ISC servers (and possibly others) do that for diagnostic reason, not for
  "ordinary" people doing that.

- it's quite risky if server(s) in the "masters" directive would stop
  providing AXFR, the zone could expire which would lead to troubles.

- there are scripts fetching the root zone via FTP from rs.internic.net,
  unluckily not all of them asre verifying all those check for its
  signature, which may lead to problems. Expiration doesn't happen here
  which can otoh cause problem when scripts fail to fetch the zone and new
  TLDs will appear or the root servers' IPs will change.

- it's quite useless to cache the .arpa and .in-addr.arpa since unlike other
  TLD's they are hierarchically organised so there won't be any valuable
  benefit from slaving them, only risks (see above).

- there's no way of slaving huge domains like .com .net (they aren't
  apparently slaved even by verisign's servers).

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

More information about the bind-users mailing list