Bjørn Mork wrote: > Tony Finch <d...@dotat.at> writes: ... >> You might be able to work around the problem by adding a >> match-recursion-only option to the recursive view, and adding a >> non-recursive view that has allow-query-cache, and use attach-cache >> so all views share the same cache. I have not tried this :-) > > And the main objection I hear wrt RFC7706 is that it complicates the > config :)
if you want to run yeti-style, there are some perl scripts that will fetch and verify the root zone, edit the apex NS and DNSKEY RRsets, re-sign with your local key, and give you a zone you can run on several servers inside your internal network, such that you can point your "hints" and your dnssec anchor at servers you control, for all your internal-network recursives, the code is here: https://github.com/BII-Lab/Yeti-Project/tree/master/script/TISF note, my internal-network is the virtualbox shared network on my own laptop, so while this is a complex approach, it's fewer moving parts for me than RFC 7706 would have been. -- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop