Doug Barton <do...@dougbarton.us> wrote: > > How, specifically, is DNSSEC affected by the validating resolver having a > local copy of the root zone?
If the local root zone gets corrupted somehow (maliciously or otherwise) the usual setup cannot detect a problem, but it'll cause DNSSEC validation failures downstream. The normal resolver / validator algorithm is more robust. The new mirror zone code validates the root zone before installing it, which at least allows it to detect a problem; I have not examined it closely enough to see how hard it tries to recover by xfering the zone from a different root server, or if it just falls back to normal resolution. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Westerly, backing southerly later, 4 or 5, occasionally 6 later in Fair Isle. Moderate, occasionally slight. Showers then rain. Good, becoming moderate or poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users