On Sun, Mar 1, 2020 at 9:00 PM <internet-dra...@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Running a Root Server Local to a Resolver > Authors : Warren Kumari > Paul Hoffman > Filename : draft-ietf-dnsop-7706bis-08.txt > Pages : 13 > Date : 2020-03-01 > > Abstract: > Some DNS recursive resolvers have longer-than-desired round-trip > times to the closest DNS root server such as during a network attack. > Some DNS recursive resolver operators want to prevent snooping by > third parties of requests sent to DNS root servers. Such resolvers > can greatly decrease the round-trip time and prevent observation of > requests by serving a copy of the full root zone on the same server, > such as on a loopback address or in the resolver software. This > document shows how to start and maintain such a copy of the root zone > that does not cause problems for other users of the DNS, at the cost > of adding some operational fragility for the operator. > > This document obsoletes RFC 7706. > > [ This document is being collaborated on in Github at: > https://github.com/wkumari/draft-kh-dnsop-7706bis. The most recent > version of the document, open issues, and so on should all be > available there. The authors gratefully accept pull requests. ] > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-7706bis/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-7706bis-08 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-7706bis-08 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-7706bis-08 > > Suggestions:
Abstract "Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server such as during a network attack." Suggested change: Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server. Some DNS recursive resolvers may have difficulty getting responses from the root servers such as during a network attack. 1. Introduction (end of fourth paragraph) "The recursive resolver validates all responses from the root service on the same host, just as it would all validate responses from a remote root server." "would all validate" -> "would validate all" 2. Requirements (second bullet point) "The system MUST have an up-to-date copy of the Key Signing Key (KSK) [RFC4033] used to sign the DNS root." -- Should we clarify as "the public portion of the Key Signing Key" ? (They do not need the private key) -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop