(thread fork) Tony Finch wrote: > Paul Vixie <[email protected]> wrote: > >> this is true. > > Except that you could (I think) use Unbound as your resolver and configure > it with a stub zone for the root pointing at a local NSD which slaves the > root.
in that sense, BIND 10 can also perform mixed-mode service. however, this config devolves to the one i described on itipanel@, since the root hints compiled into your rdns could be just some hierarchical anycast names/addresses, which would be served as locally as you want. >> [...] any wide-spread support for "root zone hidden slave" would have to >> deal with this. TSIG isn't the answer since the signing key has to be >> secret if we want to prevent MiTM attacks on hidden slave root zone >> content. > > TKEY ought to do the trick. yes; thank you for this clarification. >> http://mm.icann.org/pipermail/itipanel/2013-November/000017.html > > Sounds a lot like the ICANN L-root dense anycast model. > http://blog.icann.org/2012/03/l-root-in-your-pocket/ > http://www.menog.org/presentations/menog-10/Dave%20Knight%20-%20Dense%20Anycast%20Deployment%20of%20DNS%20Authority%20Servers.pdf yes and no. yes, there are superficial similarities. no, it's not the same thing or even close to the same thing. my proposal regarding disconnected root name service would involve creating a second root zone possessing only two NS RR's, each having one globally reachable IP address and one globally reachable IP6 address. this root zone would be signed by the ICANN root zone signing key, kept in synch with the existing root zone, and made available by AXFR and IXFR in a high-availability configuration, with some way of registering for NOTIFY service. i'd say it bears more resemblance to the older proposal still online at <http://ss.vix.su/~vixie/alternate-rootism.pdf>, than to the L-root model. without ICANN support for the project it would be nec'y to pirate all existing root name server names/addresses at every level of the hierarchical anycast network, which would lead to chaos; or, to only pirate L-root's, which would lead to long startup delays while the other root name server names/addresses were each checked for reachability. vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
