Local Slave copy of root zone
Doug Barton
dougb at dougbarton.us
Wed Aug 15 17:19:33 UTC 2018
On 08/15/2018 09:11 AM, Bob McDonald wrote:
> I've recently been investigating having a local slave copy of the root
> zone on a caching/forwarder type server. I've even put the local slave
> copy of the root zone into a separate view accessed via a different
> loopback address. (An limited example of this exists on the ISC site)
>
> My question is this. Is there any benefit to also hosting local slave
> copies of arpa., in-addr.arpa., and ip6.arpa.? Although FreeBSD now
> comes with unbound as it's default DNS software, installing bind yields
> an example named.conf which floats the concept of the local slave copies
> of the above zones. (That is what led me down this path...)
I'm responsible for the slave zone configuration in the FreeBSD
named.conf. At least, I wrote the original version of it, and maintained
it for many years. The version located here looks essentially as I left
it:
https://svnweb.freebsd.org/ports/head/dns/bind913/files/named.conf.in?revision=470832&view=markup
Slaving the root and ARPA zones is a small benefit to performance for a
busy resolver, and as long as you maintain a watch on your logs to make
sure that slaving the zone does not fail, you're golden.
I understand the reasoning behind maintaining these zones in a separate
view, accessible only locally, but don't see any value in it. A resolver
is going to cache the answers it gets anyway.
This technique is particularly useful for folks in bad/expensive network
conditions. While the current anycast networks of root servers is much
better than it was "in the old days," the more data you have locally the
more resilient you are to DDOS against those targets.
In regards to production readiness, I've used it in heavy production at
numerous sites, as have thousands of FreeBSD users.
hope this helps,
Doug
More information about the bind-users
mailing list