Slaving root is certainly not something I would recommend to everyone.
In fact, I don't even use it on all of our name servers. I was just
answering the question regarding how one would go about doing
something rather than why or why not to do it.
Here is why I do it and why I'm fairly comfortable with it.
We have 6 geographically separated servers that are only used for
recursive resolution for residential customers. 90% of the traffic to
those boxes (about 30k queries per second, per machine, during peak
hours) is crap. Having a locally slaved root zone cuts down on the
amount of crap we in turn forward out to the world (especially to the
root servers). Being able to answer (reject, in a way) these queries
locally also helps save CPU cycles on boxes that run at around 75% of
CPU capacity.
These are also boxes that are heavily monitored and that I am logged
in to every day.
Insofar as extra load on the root servers is concerned, I think I am
using far less root server resources by doing a few TCP connections
that help me avoid sending tons of crap to them via UDP.
Like I said earlier. Not something I would recommend for everyone,
but it seems to work well for what I use it for.
-rich
On Sep 10, 2009, at 8:16 PM, Joseph S D Yao wrote:
On Thu, Sep 10, 2009 at 11:27:27AM +0200, Michael Monnerie wrote:
On Mittwoch 09 September 2009 Rich Goodson wrote:
zone "." {
zone "arpa" {
zone "in-addr.arpa" {
Thank you Rich, and the others. Can anyone confirm that this is the
way
to do? Or should I stay with ftp updates from the websites? Is
there an
"officially supported" or "recommended" way to do this or that?
RFC 2870, "Root Name Server Operational Requirements", says:
2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
queries from clients other than other root servers. This
restriction is intended to, among other things, prevent
unnecessary load on the root servers as advice has been heard
such as "To avoid having a corruptible cache, make your server a
stealth secondary for the root zone." The root servers MAY put
the root zone up for ftp or other access on one or more less
critical servers.
You may take from that what you will. It sounds like discouragement
to
me.
However, as M. Bortzmeyer has said, why do this? I was doing it on a
smaller internet, and came back to find that transfers for "." had
been
turned off [but not in-addr.arpa [???]], and lookups were slowed down
because they were looking at our local "root" first. (It fixed itself
"by magic" when I complained, but nobody else had thought to do that.)
--
/
*********************************************************************\
**
** Joe Yao j...@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
