ICONZ have been performing mirroring of the *.co.nz and others for some time
now also.
The most effective way for us to do this is via normal DNS zone transfers.
It takes significant load off our WAN links, and reduces load on the
countrys associated secondary DNS Servers. Our caching servers are
restricted to querys only from within our network, we run a separate cluster
of servers for zones which we are authoritive for, these servers do not
cache and do not perform zone transfers of the nz TLD.
It also presents us with the ability to service our clients DNS requests
with the same speed and efficiency that Clear, Xtra and Netlink benifit
from.
This, as with the case of Auckland University, appears to be reasonable use
of Zone transfers from ns99.
-Rowan
----- Original Message -----
From: Russell Street
I'd like people to put their cards on the table and say why they want access to the complete zone files. That would help us understand if there are valid reasons for leaving the transfers open.
I have set up our central campus name servers to mirror the NZ top- and second- level zones. That is, they are stealth name servers for .nz, .co.nz, .ac.nz and so on. The easiest way to do this is via normal DNS zone transfers.
Zone transfers from our core name servers are restricted to addresses on campus plus a few others.
If the zone transfers were restricted, I would ask that our primary name servers be allowed access to continue the mirroring.
The reasons for setting this up are largely historic:
1. Faster access to lookups for some .nz names. Lookups do not have to go across a WAN link.
2. If our WAN connection was ever broken, local lookups that used a search list would break or slow to a crawl as well.
3. Resolving names using a search list would cause queries to go out via the WAN to the NZ name servers. Having the campus name servers set up as authorative for zones that are searched stopped these queries leaving the campus.
BIND with negative caching which has cut down those queries considerably. Taking it from several hundred bogus queries per second going off campus, to one bogus query every five minutes.
We still have Windows lots of machines that go looking for 'MYWORKGROUP.auckland.ac.nz' then 'MYWORKGROUP.ac.nz' (then 'MYWORKGROUP.nz' and finally "MYWORKGROUP" if they are really badly configured.) I turned on query logging for a few minutes yesterday and puked.
While we can get the machines configured to turn this crap off, it is an uphill battle.
4. Related to (3) when we were charged by the byte for Internet traffic this saved money. Or appeared to.
I do not believe the stealth servers have caused any problems over the past 4 years. And believe we are still winning because of it.
This is not advocating that everyone mirrors the .nz domains. If we were starting from scratch, I would not do it this way.
Russell --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog