Re: [DNSOP] Adding more example configurations to draft-ietf-dnsop-7706bis

Fri, 26 Oct 2018 03:33:02 -0700 

On 26 Oct 2018, at 10:52, Ray Bellis wrote:


On 12/09/2018 18:57, Paul Hoffman wrote:
Greetings again. One of the things that people said they wanted in 7706bis is more example configurations for different systems. We currently have: 
- BIND 9.9 with views
...
I'll test BIND 9.10 with views to see if it's the same setup, and also more recent Unbound/NSDs. 

BIND 9.9 and BIND 9.10 were both EOL as of July this year.

BIND 9.11 is the "ESV" version with an EOL date of July 2021.

(see the version table under the "BIND" drop down at
<https://www.isc.org/downloads/>)

The setup should be identical to the earlier versions, though.

That said - I want to take issue with the continuing focus on "same
host", even though the "running on loopback" restriction isn't there.

IMHO there's simply no need for this.  Even the largest ISP shouldn't
need more than a few local root zone servers, and it's an unnecessary
complication to shoe-horn those local copies onto the same host and/or
server as the recursive instance.

The document says "The primary goals of this design are to provide
faster negative responses to stub resolver queries that contain queries that result in NXDOMAIN responses, and to prevent queries and responses 
from being visible on the network".

IMHO, that second goal should be for those queries not to _leave_ the
network.

By all means describe how one _could_ run on the same host, but as a
whole I still find this document unnecessarily proscriptive.

I'd like to see examples of configurations where the local root copy
*isn't* on the same host. This is, I believe, a potentially more useful 
configuration and avoids the needs for nasty hacks like the use of
"views" to allow the recursor to perform DNSSEC validation.
I agree, there is no need to restrict the document to loopback and we should not be using examples that require non-standardised features like views. 

John


Ray

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



John Dickinson

http://sinodun.com

Sinodun Internet Technologies Ltd.
Magdalen Centre
Oxford Science Park
Robert Robinson Avenue
Oxford OX4 4GA
U.K.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to