Local Slave copy of root zone
Grant Taylor
gtaylor at tnetconsulting.net
Mon Aug 20 16:00:48 UTC 2018
On 08/20/2018 05:23 AM, Tony Finch wrote:
> If the local root zone gets corrupted somehow (maliciously or otherwise)
> the usual setup cannot detect a problem, but it'll cause DNSSEC validation
> failures downstream. The normal resolver / validator algorithm is
> more robust.
>
> The new mirror zone code validates the root zone before installing
> it, which at least allows it to detect a problem; I have not examined
> it closely enough to see how hard it tries to recover by xfering the
> zone from a different root server, or if it just falls back to normal
> resolution.
Thank you for that explanation. It explains why it's potentially
dangerous to blindly slave the root zone for general use by clients on a
local recursive resolver.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180820/7d8d915f/attachment.bin>
More information about the bind-users
mailing list