> Tony Finch <mailto:[email protected]> > Wednesday, November 12, 2014 7:13 AM > Paul Vixie <[email protected]> wrote: >>> With normal DNSSEC validation, resolvers have a way to recover from data >>> corruption. With this local root zone proposal they do not. >> i seem to have missed a step. why? > > If a validating resolver gets a bogus answer it will retry the query on > another server. With a local root zone you are disabling this fallback.
that's either an argument for listing multiple servers, the first being on the loopback, the other(s) being real global root name servers; or, instead of telling bind9 "forward only", tell it "forward first". the other thread on this draft reached a similar end when considering what happens when the zone times out. these are just different forms of data-unavailablility, which can *always* be forced. -- Paul Vixie
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
