Local Slave copy of root zone

Doug Barton dougb at dougbarton.us
Wed Aug 22 05:20:47 UTC 2018


On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:
> On 08/20/2018 11:06 PM, Doug Barton wrote:
>> But that doesn't mean that slaving a zone, any zone, including the 
>> root, is "dangerous." If slaving zones is dangerous, the DNS is way 
>> more fragile than it already is.
> 
> Sorry, poor chose of words.
> 
> The last time I read the RFC discussing slaving the root zone stressed 
> that it should only be done for localhost and / or a special config that 
> could only impact the single host if (implying when) there was a 
> problem, thus limiting the scope of negative impact.
> 
> I combined that and the potential unvalidated zone transfer allowing 
> ""corruption and called it "dangerous".
> 
> I don't think there is anything dangerous about slave zone transfers at 
> all.  I've been doing them for the better part of 20 years.
> 
> I think the ""danger, if any, is the fact that the discussion was around 
> the root zone and the potential impact of the blast radius if things 
> went wrong.  Namely all client machines that used the DNS server in 
> question.
> 
>> The DNSSEC validation errors that Tony references are self-healing, in 
>> that if the validating resolver stops validating things, the operator 
>> is hopefully going to notice that, and take steps to fix it.
> 
> Sadly, the small user base that I've had, has been more likely to not 
> tell me about problems and live with things or change things to use 
> other servers without providing that desired ~> needed feedback loop.
> 
>> I am certainly open to the new mirror zone software doing awesome 
>> things, don't get me wrong. But don't call something "dangerous" that 
>> lots of people have already been using successfully for over 15 years.
> 
> Sorry for the poor choice of words.

Fair enough, no harm in challenging assumptions, etc. I have never said 
that slaving the root is for everyone, and you've illustrated some good 
reasons why.



More information about the bind-users mailing list