Paul Vixie <p...@redbarn.org> wrote: > > first, all complexity comes at a cost. the new code and configuration needed > to support "mirror zones" will be a life long source of bugs and > vulnerabilities, because that's true of every new feature. the desired benefit > should be weighed against this cost. "by running one on the loopback" fails > this important test, mostly because it only applies to the root zone.
Yes. I also agree with Geoff Huston's article from April that hyperlocal roots are not a compelling imrovement when we have DNSSEC negative answer synthesis, which applies to any NSEC zone, not just the root. https://www.potaroo.net/ispcol/2019-04/root.html > second, RDNS name servers who wanted to support this feature, which all must, > due to the competitive nature of the open source infrastructure community, > have to add features very much like authority DNS. Ironically, unbound has been growing more and more features for serving authoritative data. There are fairly compelling operational pressures that drive recursive servers to become more and more complicated, because they are a very powerful point of control. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Great Orme Head to the Mull of Galloway: South 3 to 5. Smooth or slight. Mainly fair. Moderate or good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
