Re: default dns config change causing major poolpah

From: jonathan michaels <jlm_at_caamora.com.au>
Date: Thu, 2 Aug 2007 21:26:49 +1000
On Thu, Aug 02, 2007 at 06:26:46AM +0200, Thijs Eilander wrote:
> >If there is a consensus based on solid technical reasons (not emotion
> >or FUD) to back the root zone slaving change out, I'll be glad to do
> >so. I think it would be very useful at this point if those who _like_
> >the change would speak up publicly as well.
> 
> For starters, I am doing it since 1998 (and not only in named) on busy dns
> servers.
> I like the idea.... but not the change.
> 
> Motivation:
> 
> 1) Not everyone is an admin on a "busy nameservers". Is it really necessary
> to include it in the distribution? A lot of people don't even get it, they
> just setup their homemade firewall/dnsserver. Do those people need to slave
> the rootservers by default? Why?
> 
> 2) Skilled administrators are aware of the slave trick, or they fetch
> root.zone.gz once a week. Why include it for the skilled at expense of the
> clueless people from argument 1 ?

i am not a 'skilled administrator' i'd probably not quite make it to
clueless user status, as yet, but i am working on it .. some ten years
and prior to that and my accident some 15 yeasr on qnx and os9: level I and level II 

(note i am disbled man, born with damaged brain --- memory disabilities
and learning skills defeciets as well as motor skills deficiencies ..
please excuse my typing)


> Why not fetching the root.zone.gz file itself once a week? Matthew Dillon
> send a nice getroot script to this discussion, I think we should put an
> adjusted script in /etc/periodic/weekly. this seems to be a cleaner way than
> using axfr on rootservers which don't notify us on changes. (Benefit: the
> root.zone.gz is signed, axfr probably not). 

i am not claiming to understad the issues involved, i've asked off list
and am waiting for replies .. hopefully they will come.

but given from what i have read and understand of teh tasks involved
and teh load issues and so forth i think that this would be a really
good idea.

most new users havent got a hope of understanding what is going on .. i
have just upgraded my whole netowrk from 25 year old 386dx33 machines
to 10 year old cpmpaq proliant 5500 (2 off with 4 cpu 4 gb dram and
nice scsi raid onboard and a proliant 1850r with 2 cpu and 2 gb dram i
think) but more importantly the software went from freebsd v2.2.5-R to
v6.2-R and i have found that it might have been easier to dump freebsd
and got with netbsd/openbsd something like that.

there are a lot of difference and its a steep learning curve for a new
user or an old user with some significant learning defeciets like me.

my network is connect to teh backbone via perment dialup modem and the
new named is having issues/squables with ppp/pppd i've been a devout
pppd user some 10 years, i think that pppd is just the way that it
should be done, a personal opoinion nothing more onthing less.
i get hourly reminder in /var/log/messages about permissions/interface
dropped named ignoring the port. locally dns seems to be working on teh
bind 9.?.? (3 something) but i don't know if its being seen outside
if any of my secondaries are getting thier data streams.

at forst it seems to be a firewall issue, so after giving up trying to
make teh jump from v2.2.5 edition ipfw to teh current one with v6.2 i
gave up and asked a friend for help with setting up pf, as far as i can
tell pf is doing its job and i've dismantled all teh ipfw stuff on teh
6 or so servers handling teh getway (fidonet to/from usenet) and now
the gatewy machine is runnign pf and the sshd attack/probes have stoped
(i seems) but my named is still complaining hourly about thes
ports/permissions errors that it was complaing about with pppd and ipfw

i have scoured teh handbook, the faq even teh fabled google and there
is precious little, whatever there is relates to some obscure linux dns
running in a jailed environment .. i tried de jailing, sorry that is
not the corect term but the best that i can do without making a major
effort to dig it out of teh relevent dooc sets.

it is things like this that make arbitrary desisions/changes to
untime/production environments a real pain .. i suppose if i were a
real administrator i'd have teh skills to diagnose this problem but the
reality is that i am a "special" trying to overcome th bigotry and out
right discrimination that ihave come to sxpect as my lot in life,
thankfully it is not so bad here in freebsd land .. but it rears its
had to remind me that i'm not in heave, just quite yet, big grin, ok.

> 
> Personally I think this serves the same goal and hopefully in a less
> annoying way, without having to worry (or argue!) about axfr is still
> allowed for at least next 2 years.

this sounds really good to me, hopefully some level of sanity might
prevail
 
> Just another 2 cents for in your moneybag, what will you do with all those
> 'funding' ? :)

and another 2 australian cents from me, thijs .. thanks for writing you
good article

as always please excuse teh poor writing/typing and grammer

kind regards

jonathan

-- 
================================================================
powered by ..
QNX, OS9 and freeBSD  --  http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====
Received on Thu Aug 02 2007 - 09:47:03 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:15 UTC