[ntp:hackers] Re: NTP and leap-seconds

Paul Vixie paul at vix.com
Fri Jul 7 15:49:48 UTC 2006


> >   It seems to me that the non-crypto DNS root zone file distribution
> > methods are less top-heavy (if less secure) and seem to work good enough.

well, no.

> Maybe you should explain that better. DNS root zone file distribution
> happens rarely and is a straightforward distribution.

well, no.

> In addition, at least BIND will automatically update it's list when it
> starts up and queries one of the root servers.

well, no.

let me explain.

there is no non-crypto dns root zone file distribution method any more, at
least as regards the iana root zone and the iana-recognized root name servers.
we use TSIG (see RFC2845) to both authenticate zone publishing authority and
to control zone distribution.

and it's not rare.  the root zone changes once a day, minimum.

and while bind grabs a fresh list of root name servers at startup time, it
does not write this information to disk, so on every reboot, it will use its
compiled-in or on-disk "hints" to locate a server from which "fresh hints"
can be fetched.  and the reason we don't update it on disk is, i don't trust
automation at that level, it's too easy to wind up with a zero-length file.


More information about the hackers mailing list