In message <[email protected]>, Michael Thomas writes: > On 03/14/2013 03:54 PM, Mark Andrews wrote: > > > > Please stop using "root servers" when you mean "parent servers". > > They are *not* the same. The root servers are only parent servers > > for tld. > > You're right, my bad. > > > > > There are authoritative servers and listed authoritative servers. > > The two sets are usually the same. When properly configured listed > > authoritative servers are a subset of authoritative servers. When > > you have overlapping or disjoint sets there is a configuration > > error. > > > > Now all authoritative servers serve the same zone content modulo > > zone transfer delay unless one is running a split horizon configuration. > > One of the usual reasons for running split horizon is to handle RFC > > 1918 / ULA addresses where the public version of the zone matches > > the private version of the zone with the RFC 1918 / ULA addresses > > stripped out. Doing this is straight forward with RFC 103[45] DNS. > > It is a little more complicated with DNSSEC. > > > > So the bottom line is that unlisted authoritative servers are ok > even in the face of DNSSec. That's good news.
With DNSSEC you can prove the unlisted servers are giving you good responses. The comment about difficulties with DNSSEC was with respect to split horizon. You can't just strip out records. You also need to regenerate RRSIG (as the signatures will no longer match the RRset) and potentially generate new NSEC/NSEC3 record chains when all the records at a name have been stripped out. This is not impossible to do. BIND already strips out and regenerates all the DNSSEC data with for certain configuration. Stripping out additional records would be straight forward. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
