[ntp:hackers] Re: NTP and leap-seconds

Danny Mayer mayer at ntp.isc.org
Sat Jul 8 21:29:31 UTC 2006


Paul Vixie wrote:
>>>   It seems to me that the non-crypto DNS root zone file distribution
>>> methods are less top-heavy (if less secure) and seem to work good enough.
> 
> well, no.
> 
>> Maybe you should explain that better. DNS root zone file distribution
>> happens rarely and is a straightforward distribution.
> 
> well, no.

Looks like we are talking about two different things. I was talking
about the root server list itself [A-M].ROOT-SERVERS.NET and apparently
you are talking about the TLD zone itself which I would expect to change
on a fairly regular basis. Sorry for the misunderstanding.

> 
>> In addition, at least BIND will automatically update it's list when it
>> starts up and queries one of the root servers.
> 
> well, no.
> 

See above for what I meant.

> let me explain.
> 
> there is no non-crypto dns root zone file distribution method any more, at
> least as regards the iana root zone and the iana-recognized root name servers.
> we use TSIG (see RFC2845) to both authenticate zone publishing authority and
> to control zone distribution.
> 
> and it's not rare.  the root zone changes once a day, minimum.
> 

I'm sure.

> and while bind grabs a fresh list of root name servers at startup time, it
> does not write this information to disk, so on every reboot, it will use its
> compiled-in or on-disk "hints" to locate a server from which "fresh hints"
> can be fetched.  and the reason we don't update it on disk is, i don't trust
> automation at that level, it's too easy to wind up with a zero-length file.

I should note though, that BIND 9 only has A records in the compiled-in
list, there are no AAAA records right now. I don't know if this should
be changed.

Danny


More information about the hackers mailing list