Paul Hoffman <[email protected]> wrote:
> Greetings again. Based on some great input from Evan Hunt, we have
> updated our draft. The algorithm is both simpler and easier to
> configure. In fact, we have examples of how to configure BIND and
> Unbound/NSD to match the new spec.
I have been running with a similar config on my toy nameserver for nearly
a year, and it is reasonably satisfactory. I have not really exercised its
failure modes. Previously I just slaved the root zone without validating
it.
I thought the idea of validating the zone transfer before putting the zone
live was interesting. I could probably lash up a script to do that along
the lines of the following, though it also needs to check the KSK matches
the trust anchor.
for server in $root_servers
do if dig axfr . @$server >root.db &&
dnssec-verify -o . root.db
then nsdiff -s localhost . root.db | nsupdate -l
exit $?
fi
done
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
North Utsire: Easterly or southeasterly 5 to 7, occasionally gale 8 in south.
Moderate becoming rough. Showers later. Good.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
