On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the
root, is "dangerous." If slaving zones is dangerous, the DNS is way
more fragile than it already is.
Sorry, poor chose of
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the root,
is "dangerous." If slaving zones is dangerous, the DNS is way more
fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the
On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or
otherwise) the usual setup cannot detect a problem, but it'll cause
DNSSEC validation failures downstream. The normal resolver /
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is
more robust.
The new mirror zone
Doug Barton wrote:
>
> How, specifically, is DNSSEC affected by the validating resolver having a
> local copy of the root zone?
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream.
On 2018-08-15 10:43, Tony Finch wrote:
Doug Barton wrote:
Slaving the root and ARPA zones is a small benefit to performance for
a busy
resolver, [...]
This technique is particularly useful for folks in bad/expensive
network
conditions. While the current anycast networks of root servers
> BIND 9.14 will have an improved local root implementation (called a
> "mirror" zone) which validates the zone so you don't blindly serve bogus
> data. The feature is available now in the 9.13 dev branch; I have not
> tried mirroring the arpa zones - the docs suggest that isn't a supported
>
Doug Barton wrote:
>
> Slaving the root and ARPA zones is a small benefit to performance for a busy
> resolver, [...]
> This technique is particularly useful for folks in bad/expensive network
> conditions. While the current anycast networks of root servers is much better
> than it was "in the
On 08/15/2018 09:11 AM, Bob McDonald wrote:
I've recently been investigating having a local slave copy of the root
zone on a caching/forwarder type server. I've even put the local slave
copy of the root zone into a separate view accessed via a different
loopback address. (An limited example
Thank you sir! I'll investigate the newer bind implementations.
Regards.
Bob
On Wed, Aug 15, 2018 at 12:41 PM Tony Finch wrote:
> Bob McDonald wrote:
>
> > I've recently been investigating having a local slave copy of the root
> zone
> > on a caching/forwarder
Bob McDonald wrote:
> I've recently been investigating having a local slave copy of the root zone
> on a caching/forwarder type server.
I do this on my toy server for various strange reasons, and although it
has worked OK I'm not confident it's really solid enough for production.
I've recently been investigating having a local slave copy of the root zone
on a caching/forwarder type server. I've even put the local slave copy of
the root zone into a separate view accessed via a different loopback
address. (An limited example of this exists on the ISC site)
My question
12 matches
Mail list logo