Except that RFC 8806 started as RFC 7706 where there was no such option and the idea of root mirror zone was novel at the time. The example configuration is an appendix documenting how do we do this thing with current implementations (e.g. Implementation Status).
Mark would probably know better, but as far as I can tell zones of type "stub" were already included in BIND 4.9.2 released in 1994. Zone type "static-stub" was added in BIND 9.8.0 released in 2011. There isn't anything novel about stub zones. That's the problem, you are asking people in this working group to spend time on something that's quite well understood by now and there isn't really anything novel in your draft. Also the Sections 3, 4 and 5 are mostly documenting recommendation that sane deployment should NOT do. DNS relies on automatic delegation discovery and you are recommending to break this. The static-stub is something that should be used only sparely and it tends to break unless all moving parts are controlled by the same person. Ondrej -- Ondřej Surý (He/Him) [email protected] > On 19. 1. 2026, at 2:19, 张宾 <[email protected]> wrote: > > Dear Ondrej, > > > Just like RFC 8806, a simple local configuration in bind for building > local mirror of root server as fellows, > BIND 9.14 can set up a local mirror of the root zone with a small > configuration option: > > > zone "." { > type mirror; > }; > > > this document describes a simple configuration method in BIND to directlly > query a local authoritative server the resolver trusts. > The function of this configuration method is similar to RFC 8806, it can > effectively shorten the query path of recursive servers. thus avoiding > attacks from higher-level authoritative servers. > > > Best Regards > Bin > > >> -----原始邮件----- >> 发件人: "Ondřej Surý" <[email protected]> >> 发送时间:2026-01-18 22:00:51 (星期日) >> 收件人: 张宾 <[email protected]> >> 抄送: [email protected] >> 主题: Re: [DNSOP] New Draft on DNS Resolver Security >> >> Hi, >> >> I don't understand the purpose of this document and why it should be an >> Internet Standard. >> >> The document describes static-stub in BIND 9 and Unbound and doesn't seem to >> bring >> anything new to the table. I might have missed something, but I don't see a >> reason why >> this needs to be an Informational RFC. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> [email protected] >> >>> On 14. 1. 2026, at 9:13, 张宾 <[email protected]> wrote: >>> >>> Dear Chairman, >>> >>> My name is Bin Zhang. Our team recently submitted one Internet-Drafts. >>> >>> This draft provides a technique for querying the designated >>> authoritative server directly on the recursive server at the enterprise >>> level. >>> . >>> The goal of this draft is to help implementers of some enterprises make >>> their resolvers more secure. >>> >>> • Link: draft-zhang-dnsop-zb-01 - A Technique for Querying the >>> Designated Authoritative Server Directly on the Recursive Server at the >>> Enterprise Level >>> >>> We believe these drafts fill important gaps in DNS security. We will attend >>> IETF 125 in Shenzhen and look forward to discussing these topics with the >>> working group. >>> >>> We welcome any feedback on the mailing list. >>> >>> Best regards, >>> Bin Zhang >>> Pengcheng Lab >>> >>> _______________________________________________ >>> DNSOP mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >> > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
