Re: Local root zone (Was NYTimes: Egypt Leaders Found ‘Off’ Switch for Internet)

Doug Barton dougb at dougbarton.us
Wed Feb 16 15:22:05 CST 2011


On 02/16/2011 11:50, Franck Martin wrote:
>
>
> ----- Original Message -----
>> From: "Martin Millnert"<millnert at gmail.com>
>> To: "Marshall Eubanks"<tme at americafree.tv>
>> Cc: "North American Network Operators Group"<nanog at nanog.org>
>> Sent: Thursday, 17 February, 2011 8:28:22 AM
>> Subject: Re: NYTimes: Egypt Leaders Found ‘Off’ Switch for Internet
>> On Wed, Feb 16, 2011 at 9:09 AM, Marshall Eubanks<tme at americafree.tv>
>> wrote:
>>>
>>> On Feb 16, 2011, at 12:15 AM, Joly MacFie wrote:
>>>
> "
>>
>> Operating local IRC networks is good, as is having local OS mirrors,
>> such as Debian/Ubuntu and let's not forget, having a resilient DNS
>> configuration (root zone copy hint 101: "dig @k.root-servers.net. .
>> axfr"). A securely distributed
>
> Would it make sense for an ISP to "store" the root zone on their DNS servers instead of letting it be refreshed by the DNS cache? A cron job could refresh it from time to time. It would avoid entries from expiring and would always serve to clients entries with max ttl?
>
> A root server would be better, but that could be an intermediary step?
>
> Just speaking out loud here, so it may be total non-sense...

This is a subject of intense debate amongst the DNS literati:

CON:
1. Failure to pay attention to your setup could cause you to have a 
stale root zone.

PRO:
1. Faster local resolution for your users, especially for malformed queries.
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS

Personally I've been doing it for years, never had a problem. On larger 
sites where I have a lot of resolvers I make the hidden master a slave 
for the root zone, and also allow the local resolvers to slave it from 
the hidden master to be more net.friendly. For BIND, make sure you 
include "notify no;" in your zone{} statement.


hth,

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/





More information about the NANOG mailing list