In message <519b9008.7040...@chrysler.com>, Kevin Darcy writes: > > Ugh, I'm trying _really_ hard not to be an annoying nitpicker (yeah, I > know, try harder :-), but... > > The relevant verbiage of RFC 6762 is: > > Caching DNS servers SHOULD recognize these names as special and > SHOULD NOT attempt to look up NS records for them, or otherwise > query authoritative DNS servers in an attempt to resolve these > names. Instead, caching DNS servers SHOULD generate immediate > NXDOMAIN responses for all such queries they may receive (from > misbehaving name resolver libraries). This is to avoid unnecessary > load on the root name servers and other name servers. > > I'm not sure that slaving the root zone (although it is the "simplest > solution" and undoubtedly _works_) is really compatible with the letter > or spirit of that verbiage... > > - Kevin And doing that doesn't work if you have a validating stub resolver as there is no insecure delegation to .local in the root zone. Synthesis of DNS records is not straight forward in the presence of DNSSEC.
See RFC 6303 Locally Served DNS Zones for how it needs to be done. You will note that IANA was tasked with the job of getting insecure delegations added for all the zones listed. When you slave the root you do not need a insecure delegation. It is possible to cryptographically identify when secure delegations have been tampered with which will cover the majority of the delegations in the root zone. All new TLDs are required to support DNSSEC. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users