On Mon, Jun 23, 2014 at 1:07 PM, Tony Finch <[email protected]> wrote: > Warren Kumari <[email protected]> wrote: >> >> Draft: http://tools.ietf.org/html/draft-wkumari-dnsop-dist-root-00 > > What I do on my toy server at the moment is similar but different, based > on a suggestion from Mark Andrews: > https://lists.dns-oarc.net/pipermail/dns-operations/2013-November/011158.html > > The idea is to have an authoritative view with a local copy of the root > zone, and a recursive view which validates as normal but queries the auth > view instead of the usual servers. > > The downside compared to your proposal is the lack of any way (other than > operator intervention) to recover from a bogus zone transfer. > > view rec { > match-recursive-only yes; > zone "." { > type static-stub; > server-addresses { ::1; }; > }; > }; > > view auth { > recursion no; > allow-recursion { none; }; > zone "." { > type slave; > masters { 2001:500:2f::f; 192.5.5.241; }; > }; > }; >
Yup, this accomplishes a very similar thing - and a number of folk are doing exactly this (or even "while true; do dig AXFR . @f.root-servers.net > root.db; rndc reload root.db; sleep 1800; done" or, less scarily, cron). As you say, it doesn't deal well with bogus zone transfers, but also, depending on just how you implement it, doesn't necessarily do validation (for example, the dig -> file), but, it *is* very similar. A fair bit of this document is simply codifying this existing behavior. W > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > Plymouth, Northwest Biscay: Northeasterly 4 or 5. Slight or moderate. Fair. > Good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
