On Nov 11, 2014, at 11:07 AM, Tony Finch <d...@dotat.at> wrote: > I have been running with a similar config on my toy nameserver for nearly > a year,
That makes me feel better about our assertion that we probably did not invent this. > and it is reasonably satisfactory. That makes me feel better in general. :-) > I have not really exercised its > failure modes. Previously I just slaved the root zone without validating > it. > > I thought the idea of validating the zone transfer before putting the zone > live was interesting. I could probably lash up a script to do that along > the lines of the following, though it also needs to check the KSK matches > the trust anchor. > > for server in $root_servers > do if dig axfr . @$server >root.db && > dnssec-verify -o . root.db > then nsdiff -s localhost . root.db | nsupdate -l > exit $? > fi > done Sure, but this is an unnecessary change to what recursives do today, which is to validate each response. It feels better to keep as much as we can from the current methodology. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop