Local Slave copy of root zone
Tony Finch
dot at dotat.at
Mon Aug 20 11:23:57 UTC 2018
Doug Barton <dougb at dougbarton.us> wrote:
>
> How, specifically, is DNSSEC affected by the validating resolver having a
> local copy of the root zone?
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is more
robust.
The new mirror zone code validates the root zone before installing it,
which at least allows it to detect a problem; I have not examined it
closely enough to see how hard it tries to recover by xfering the zone
from a different root server, or if it just falls back to normal
resolution.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Westerly, backing
southerly later, 4 or 5, occasionally 6 later in Fair Isle. Moderate,
occasionally slight. Showers then rain. Good, becoming moderate or poor.
More information about the bind-users
mailing list