On Sun, Nov 16, 2014 at 03:12:58PM -0800, Doug Barton wrote: > Before commenting further I'd love the authors to flesh > out their reasoning for not simply slaving the zone where possible.
I'm not one of the authors, but I can give you an answer: in BIND, and I believe in other DNS implementations as well, local authoritative data isn't subject to DNSSEC validation. > (And yes, I'm aware that one of the primary motivators is DNSSEC, but the > only thing in the root that we care about are the DS records, and a > validating resolver is going to chase those up to its trust anchor > anyway.) No. If the root zone is slaved locally in the same view as the validator, then the server (correctly) sees the top level DS as local authoritative data, and presumes it to be valid. (I just tested BIND to confirm this. The log shows that org/DNSKEY, isc.org/DS, and isc.org/DNSKEY were validated, but org/DS wasn't.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop