On Thu, Aug 02, 2007 at 06:26:46AM +0200, Thijs Eilander wrote: > >If there is a consensus based on solid technical reasons (not emotion > >or FUD) to back the root zone slaving change out, I'll be glad to do > >so. I think it would be very useful at this point if those who _like_ > >the change would speak up publicly as well. > > For starters, I am doing it since 1998 (and not only in named) on busy dns > servers. > I like the idea.... but not the change. > > Motivation: > > 1) Not everyone is an admin on a "busy nameservers". Is it really necessary > to include it in the distribution? A lot of people don't even get it, they > just setup their homemade firewall/dnsserver. Do those people need to slave > the rootservers by default? Why? > > 2) Skilled administrators are aware of the slave trick, or they fetch > root.zone.gz once a week. Why include it for the skilled at expense of the > clueless people from argument 1 ? i am not a 'skilled administrator' i'd probably not quite make it to clueless user status, as yet, but i am working on it .. some ten years and prior to that and my accident some 15 yeasr on qnx and os9: level I and level II (note i am disbled man, born with damaged brain --- memory disabilities and learning skills defeciets as well as motor skills deficiencies .. please excuse my typing) > Why not fetching the root.zone.gz file itself once a week? Matthew Dillon > send a nice getroot script to this discussion, I think we should put an > adjusted script in /etc/periodic/weekly. this seems to be a cleaner way than > using axfr on rootservers which don't notify us on changes. (Benefit: the > root.zone.gz is signed, axfr probably not). i am not claiming to understad the issues involved, i've asked off list and am waiting for replies .. hopefully they will come. but given from what i have read and understand of teh tasks involved and teh load issues and so forth i think that this would be a really good idea. most new users havent got a hope of understanding what is going on .. i have just upgraded my whole netowrk from 25 year old 386dx33 machines to 10 year old cpmpaq proliant 5500 (2 off with 4 cpu 4 gb dram and nice scsi raid onboard and a proliant 1850r with 2 cpu and 2 gb dram i think) but more importantly the software went from freebsd v2.2.5-R to v6.2-R and i have found that it might have been easier to dump freebsd and got with netbsd/openbsd something like that. there are a lot of difference and its a steep learning curve for a new user or an old user with some significant learning defeciets like me. my network is connect to teh backbone via perment dialup modem and the new named is having issues/squables with ppp/pppd i've been a devout pppd user some 10 years, i think that pppd is just the way that it should be done, a personal opoinion nothing more onthing less. i get hourly reminder in /var/log/messages about permissions/interface dropped named ignoring the port. locally dns seems to be working on teh bind 9.?.? (3 something) but i don't know if its being seen outside if any of my secondaries are getting thier data streams. at forst it seems to be a firewall issue, so after giving up trying to make teh jump from v2.2.5 edition ipfw to teh current one with v6.2 i gave up and asked a friend for help with setting up pf, as far as i can tell pf is doing its job and i've dismantled all teh ipfw stuff on teh 6 or so servers handling teh getway (fidonet to/from usenet) and now the gatewy machine is runnign pf and the sshd attack/probes have stoped (i seems) but my named is still complaining hourly about thes ports/permissions errors that it was complaing about with pppd and ipfw i have scoured teh handbook, the faq even teh fabled google and there is precious little, whatever there is relates to some obscure linux dns running in a jailed environment .. i tried de jailing, sorry that is not the corect term but the best that i can do without making a major effort to dig it out of teh relevent dooc sets. it is things like this that make arbitrary desisions/changes to untime/production environments a real pain .. i suppose if i were a real administrator i'd have teh skills to diagnose this problem but the reality is that i am a "special" trying to overcome th bigotry and out right discrimination that ihave come to sxpect as my lot in life, thankfully it is not so bad here in freebsd land .. but it rears its had to remind me that i'm not in heave, just quite yet, big grin, ok. > > Personally I think this serves the same goal and hopefully in a less > annoying way, without having to worry (or argue!) about axfr is still > allowed for at least next 2 years. this sounds really good to me, hopefully some level of sanity might prevail > Just another 2 cents for in your moneybag, what will you do with all those > 'funding' ? :) and another 2 australian cents from me, thijs .. thanks for writing you good article as always please excuse teh poor writing/typing and grammer kind regards jonathan -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ====Received on Thu Aug 02 2007 - 09:47:03 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:15 UTC