root-hints as master for RFC7706

rainer at ultra-secure.de rainer at ultra-secure.de
Fri Nov 30 14:15:21 UTC 2018 

Am 2018-11-30 15:05, schrieb Joe Abley:
> On Nov 30, 2018, at 08:37, Rainer Duffner via Unbound-users
> <unbound-users at nlnetlabs.nl> wrote:
> 
>> lax.xfr.dns.icann.org.
> 
> 
> When I was in the team that operated that service there we went to
> some lengths to emphasise that it was not a supported, production,
> operational service but rather a convenient troubleshooting and
> diagnostic tool provided on a best-effort basis.
> 
> (I think it's actually xfr.lax.dns.icann.org; there was a companion
> service xfr.cjr.dns.icann.org. They served not just the root zone but
> every infrastructure/community zone that ICANN hosted, like
> ROOT-SERVERS.NET, ARPA, IN-ADDR.ARPA, URI.ARPA, etc, etc.)
> 
> This may be perfectly fine for your purposes (and of course the
> disposition of those services might have changed during the 800 years
> I've been away) but I thought I'd mention it.
> 
> 
> Joe


OK,

the blurb in named.conf.sample says:

// The traditional root hints mechanism. Use this, OR the slave zones 
below.
zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

/*      Slaving the following zones from the root name servers has some
         significant advantages:
         1. Faster local resolution for your users
         2. No spurious traffic will be sent from your network to the 
roots
         3. Greater resilience to any potential root server failure/DDoS

         On the other hand, this method requires more monitoring than the
         hints file to be sure that an unexpected failure mode has not
         incapacitated your server.  Name servers that are serving a lot
         of clients will benefit more from this approach than individual
         hosts.  Use with caution.

         To use this mechanism, uncomment the entries below, and comment
         the hint zone above.

         As documented at http://dns.icann.org/services/axfr/ these 
zones:
         "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
         are available for AXFR from these servers on IPv4 and IPv6:
         xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone "." {
         type slave;
         file "/usr/local/etc/namedb/slave/root.slave";
         masters {
                 192.0.32.132;           // lax.xfr.dns.icann.org
                 2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
                 192.0.47.132;           // iad.xfr.dns.icann.org
                 2620:0:2830:202::132;   // iad.xfr.dns.icann.org
         };
         notify no;
};


pkg info bind911
bind911-9.11.3_1
Name           : bind911
Version        : 9.11.3_1
Installed on   : Thu Apr 19 14:14:06 2018 CEST
Origin         : dns/bind911
Architecture   : FreeBSD:11:amd64
Prefix         : /usr/local
Categories     : net dns ipv6
Licenses       : MPL20
Maintainer     : mat at FreeBSD.org
WWW            : https://www.isc.org/software/bind
Comment        : BIND DNS suite with updated DNSSEC and DNS64



I'd have to check the source (of 9.12 or 9.13) to see if anything has 
changed in that text.

It doesn't say "don't use this in production".




Rainer

More information about the Unbound-users mailing list