> BIND 9.14 will have an improved local root implementation (called a > "mirror" zone) which validates the zone so you don't blindly serve bogus > data. The feature is available now in the 9.13 dev branch; I have not > tried mirroring the arpa zones - the docs suggest that isn't a supported > config for mirror zones.
The catch is that, as of current master, you would have to configure trusted-keys/managed-keys for each zone you would like to mirror. In other words, the chain of trust from the root is currently not established automatically when a mirror zone is validated. This might change in the future, but since the root zone is the primary use case and a default trust anchor for the root zone is installed implicitly, I would not hold my breath for it. -- Best regards, Michał Kępień _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users