Paul Hoffman <[email protected]> wrote: > > > I thought the idea of validating the zone transfer before putting the zone > > live was interesting. I could probably lash up a script to do that along > > the lines of the following, though it also needs to check the KSK matches > > the trust anchor. > > > > for server in $root_servers > > do if dig axfr . @$server >root.db && > > dnssec-verify -o . root.db > > then nsdiff -s localhost . root.db | nsupdate -l > > exit $? > > fi > > done > > Sure, but this is an unnecessary change to what recursives do today, > which is to validate each response. It feels better to keep as much as > we can from the current methodology.
On the other hand, something vaguely like that kind of validation is often part of a high-assurance authoritative DNS setup. And I was suggesting a shonky way to add that validation to the authoritative side of the local root server, leaving the recursive side relatively normal. The problem with slaving the root zone locally is that you damage the DNS's and DNSSEC's resilience features. Since you can't TSIG-authenticate the zone transfers I think you really need some other kind of sanity check, if you are going to recommend local root zones as a standard configuration. (as opposed to an experiment on a hostmaster's workstation.) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ South Biscay, Fitzroy: Westerly or southwesterly 6 to gale 8. Moderate at first in southeast Biscay, otherwise rough or very rough, occasionally high in Fitzroy. Thundery showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
