Local Slave copy of root zone
gtaylor at tnetconsulting.net
Tue Aug 21 15:53:41 UTC 2018
On 08/20/2018 11:06 PM, Doug Barton wrote:
> But that doesn't mean that slaving a zone, any zone, including the root,
> is "dangerous." If slaving zones is dangerous, the DNS is way more
> fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the root zone stressed
that it should only be done for localhost and / or a special config that
could only impact the single host if (implying when) there was a
problem, thus limiting the scope of negative impact.
I combined that and the potential unvalidated zone transfer allowing
""corruption and called it "dangerous".
I don't think there is anything dangerous about slave zone transfers at
all. I've been doing them for the better part of 20 years.
I think the ""danger, if any, is the fact that the discussion was around
the root zone and the potential impact of the blast radius if things
went wrong. Namely all client machines that used the DNS server in
> The DNSSEC validation errors that Tony references are self-healing, in
> that if the validating resolver stops validating things, the operator is
> hopefully going to notice that, and take steps to fix it.
Sadly, the small user base that I've had, has been more likely to not
tell me about problems and live with things or change things to use
other servers without providing that desired ~> needed feedback loop.
> I am certainly open to the new mirror zone software doing awesome
> things, don't get me wrong. But don't call something "dangerous" that
> lots of people have already been using successfully for over 15 years.
Sorry for the poor choice of words.
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users