DNS - slaving the root zone
Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html Do you still believe slaving the root zone to be a bad idea ? I actually do it on production 8-STABLE boxes here, seems to work well enough. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: DNS - slaving the root zone
On Fri, Feb 17, 2012 at 02:41:57PM +0100, Damien Fleuriot wrote: > Hello list, Jeremy, Doug, > > > We're currently having a discussion on the FRnOG mailing list regarding > the laughable announcement of an attack on the DNS root servers by > Anonymous. > > I've kinda hijacked the thread to ask whether people slave the root zone > or not, and why if not. > > > Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer > pointed out that it might not be a good idea and submitted the following > discussion from 2007 as reference: > http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html > > > Do you still believe slaving the root zone to be a bad idea ? The important thread (IMO) is actually here: https://lists.dns-oarc.net/pipermail/dns-operations/2007-July/thread.html#1804 These are the people you should be asking this question to given the "announcement". Folks like Paul Vixie and David Conrad. Also, just a tip: given that at an old job I dealt with DoS and DDoS attacks on our infrastructure on a near-daily basis (advice to public: never run a public IRC server on a major network), I wouldn't be so quick to dismiss the claim as "laughable". Folks can bring up the distribution of all the root servers, anycast, etc. all they want, but nobody truly knows how "distributed" the DDoS will be. Sit back and think about that one for a little while, let it stew in your mind. Rest assured, if what is being proposed turns out to be accomplished, you will be quite surprised at how many large Fortune 500 companies and financial organisations are impacted by it. I can't go into details, but I can assure you with utmost certainty that many of them rely on Internet transit for very important transactions -- most of which use DNS-based lookups for all sorts of things. Given the state of IT in general these days, chances are very few companies have thought ahead in this case. Though DNS may not simply break 100% (duh), failed lookups and "oddities" occurring all over the place would be likely. If you've ever worked at a large corporation, you'll know how easy it is for people to incorrectly assess reasons for outages -- it wouldn't surprise me if it took said companies 24-48 hours to figure out what was truly the root cause. TL;DR -- don't be hasty when it comes to threats on the Internet on such a large scale. It's amazing the infrastructure we have today works at all anyway. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: DNS - slaving the root zone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/17/2012 05:41, Damien Fleuriot wrote: > Hello list, Jeremy, Doug, > > > We're currently having a discussion on the FRnOG mailing list regarding > the laughable announcement of an attack on the DNS root servers by > Anonymous. Given their success at their previous endeavors, I wouldn't call it "laughable." Even if they are unsuccessful at taking down all of the root servers, if *your* particular part of the Internet gets knocked down, that's pretty important to you, right? OTOH, I think that actually doing what they state they want to do will be very difficult, and not likely to produce the results that they believe it will. However, unlike some in the DNS/Security communities I do not intend to outline the deficiencies in their plan, lest they take advantage of the opportunity to improve it. :) > I've kinda hijacked the thread to ask whether people slave the root zone > or not, and why if not. Well there is no secret that I (and many others) think it's a good idea. > Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer > pointed out that it might not be a good idea and submitted the following > discussion from 2007 as reference: > http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html I know Stephane professionally, and I respect his opinion about many topics. On this topic we disagree. > Do you still believe slaving the root zone to be a bad idea ? I never thought it was a bad idea. I've been suggesting that people do it for years. :) To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. hth, Doug - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB 5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ= =EmJF -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: DNS - slaving the root zone
On 2/18/12 12:57 AM, Doug Barton wrote: > > To clarify, almost universally the opposition to the idea centers around > the problems of users who enable this method, and then don't notice if > something changes/breaks, resulting in a stale zone (or zones, depending > on what you choose to slave). I have always acknowledged that this is a > valid concern, just not one that I think overwhelms the virtues of doing > the slaving in the first place. > Could you elaborate on the "something changes/breaks, admin doesn't notice, results in a stale zone" bit ? I fail to see the circumstances under which that could happen. > The method currently in comments in /etc/namedb/named.conf suggests > servers generously provided by ICANN that are dedicated to allowing AXFR > of various infrastructure zones. (Note, ICANN does not necessarily > endorse the idea of slaving these zones for resolvers, but I do have > their permission to include these servers in our named.conf.) That > alleviates one of the other criticisms of slaving these zones, as it > presents no load on the actual root servers at all. > > So in short, this is an excellent idea, I've been doing it/recommending > it for years, and assuming you have the knowledge/ability to keep your > resolvers up to date (and/or you're tracking our named.conf where I do > it for you) then it's totally safe to do. > Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. You have me somewhat worried with the bit about something breaking though, thus the call for details ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: DNS - slaving the root zone
On 02/18/2012 03:23, Damien Fleuriot wrote: > > On 2/18/12 12:57 AM, Doug Barton wrote: >> >> To clarify, almost universally the opposition to the idea centers around >> the problems of users who enable this method, and then don't notice if >> something changes/breaks, resulting in a stale zone (or zones, depending >> on what you choose to slave). I have always acknowledged that this is a >> valid concern, just not one that I think overwhelms the virtues of doing >> the slaving in the first place. >> > > Could you elaborate on the "something changes/breaks, admin doesn't > notice, results in a stale zone" bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. > I fail to see the circumstances under which that could happen. I tend to agree, which is why I weight this particular objection pretty low. If you don't notice failed axfrs, you've already got deeper problems. :) To be fair however, there are a lot of people who believe (rightly or wrongly) that resolving DNS should be a "fire and forget" service. Those of us who do this for a living know that this was never true, and DNSSEC makes that even less true. However, if you happen to be one of those people, this method is not for you. > Indeed, been deleting the traditional hint file based . zone for a while > and using the slaving mechanism for over a year already, works fine > enough for us. I'm glad to hear that. Makes me feel that my efforts in this area have been worthwhile. > You have me somewhat worried with the bit about something breaking > though, thus the call for details ;) Understood. You don't seem to be the type of operator who is likely to run afoul here, FWIW. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: DNS - slaving the root zone
On Sun, 19 Feb 2012 at 01:14:47, Doug Barton wrote: > On 02/18/2012 03:23, Damien Fleuriot wrote: >> >> On 2/18/12 12:57 AM, Doug Barton wrote: >>> >>> To clarify, almost universally the opposition to the idea centers >>> around the problems of users who enable this method, and then don't >>> notice if something changes/breaks, resulting in a stale zone (or >>> zones, depending on what you choose to slave). I have always >>> acknowledged that this is a valid concern, just not one that I think >>> overwhelms the virtues of doing the slaving in the first place. >>> >> >> Could you elaborate on the "something changes/breaks, admin doesn't >> notice, results in a stale zone" bit ? > > Most commonly whatever auth. server the user is axfr'ing from suddenly > stops offering that ability. [snip] I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Multiple masters would substantially decrease the risk of stale zones, yes? I have attached the relevant portion of my config, maybe it's useful. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? I figure they are, as the comments say 'Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers.' and now my server *is* the root as far as it knows. Thanks. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. named.conf Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: DNS - slaving the root zone
On 02/19/2012 10:39, Terrence Koeman wrote: > I'm just done converting from named.root to slaving the root, I > checked which servers allow axfr (at least for me...) and added them > all as masters. Given that some of the root server operators don't really like people doing this routinely it would be net.friendlier to list the ICANN servers first. They are just as up to date as the live root servers. > Multiple masters would substantially decrease the > risk of stale zones, yes? Yes. > Also, I was wondering, now that I slave . and arpa, is it still > beneficial to retain the 'empty zones' that fall within those or are > they redundant? They are not redundant, and yes, they are still beneficial. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
