In message <[email protected]>, Tony Finch writes: > Paul Hoffman <[email protected]> wrote: > > > > > I thought the idea of validating the zone transfer before putting the zone > > > live was interesting. I could probably lash up a script to do that along > > > the lines of the following, though it also needs to check the KSK matches > > > the trust anchor. > > > > > > for server in $root_servers > > > do if dig axfr . @$server >root.db && > > > dnssec-verify -o . root.db > > > then nsdiff -s localhost . root.db | nsupdate -l > > > exit $? > > > fi > > > done > > > > Sure, but this is an unnecessary change to what recursives do today, > > which is to validate each response. It feels better to keep as much as > > we can from the current methodology. > > On the other hand, something vaguely like that kind of validation is often > part of a high-assurance authoritative DNS setup. And I was suggesting a > shonky way to add that validation to the authoritative side of the local > root server, leaving the recursive side relatively normal. > > The problem with slaving the root zone locally is that you damage the > DNS's and DNSSEC's resilience features. Since you can't TSIG-authenticate > the zone transfers I think you really need some other kind of sanity > check, if you are going to recommend local root zones as a standard > configuration. (as opposed to an experiment on a hostmaster's > workstation.)
We could re-introduce zone signatures and require them for the root zone but leave them optional for other zones.. > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > South Biscay, Fitzroy: Westerly or southwesterly 6 to gale 8. Moderate at > first in southeast Biscay, otherwise rough or very rough, occasionally high in > Fitzroy. Thundery showers. Good, occasionally poor. > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
