On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the
root, is "dangerous." If slaving zones is dangerous, the DNS is way
more fragile than it already is.
Sorry, poor chose of
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the root,
is "dangerous." If slaving zones is dangerous, the DNS is way more
fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the
On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote:
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or
otherwise) the usual setup cannot detect a problem, but it'll cause
DNSSEC validation failures downstream. The normal resolver /
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is
more robust.
The new mirror zone
Doug Barton wrote:
>
> How, specifically, is DNSSEC affected by the validating resolver having a
> local copy of the root zone?
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream.
On 2018-08-15 10:43, Tony Finch wrote:
Doug Barton wrote:
Slaving the root and ARPA zones is a small benefit to performance for
a busy
resolver, [...]
This technique is particularly useful for folks in bad/expensive
network
conditions. While the current anycast networks of root servers
> BIND 9.14 will have an improved local root implementation (called a
> "mirror" zone) which validates the zone so you don't blindly serve bogus
> data. The feature is available now in the 9.13 dev branch; I have not
> tried mirroring the arpa zones - the docs suggest that isn't a supported
>
Doug Barton wrote:
>
> Slaving the root and ARPA zones is a small benefit to performance for a busy
> resolver, [...]
> This technique is particularly useful for folks in bad/expensive network
> conditions. While the current anycast networks of root servers is much better
> than it was "in the
On 08/15/2018 09:11 AM, Bob McDonald wrote:
I've recently been investigating having a local slave copy of the root
zone on a caching/forwarder type server. I've even put the local slave
copy of the root zone into a separate view accessed via a different
loopback address. (An limited example of
Thank you sir! I'll investigate the newer bind implementations.
Regards.
Bob
On Wed, Aug 15, 2018 at 12:41 PM Tony Finch wrote:
> Bob McDonald wrote:
>
> > I've recently been investigating having a local slave copy of the root
> zone
> > on a caching/forwarder type server.
>
> I do this on
Bob McDonald wrote:
> I've recently been investigating having a local slave copy of the root zone
> on a caching/forwarder type server.
I do this on my toy server for various strange reasons, and although it
has worked OK I'm not confident it's really solid enough for production.
If you are
11 matches
Mail list logo
