On Jan 9, 2024, at 19:17, Paul Hoffman <paul.hoff...@icann.org> wrote: >> Perhaps a recommendation could be to check with ZONEMD and do an AXFR, >> eg recomend implementing RFC 8806 - "Running a Root Server Local to a >> Resolver". >> Comes with added bonuses on top of a signature on all the root glue. >> >> I still think this would also still be good to mention. > > This would be a very comfusing mention because the resolver isn't really > "priming" at that point, it's using a complete root zone. I'll cover this > with an addition to the Security Considerations section: > > <t>This document does not cover the use of (or the need for) priming when > serving a copy of the full root zone on the same server as the resolver, > such as is described in <xref target="RFC8806"/>. > In such a setup, the resolver never really primes its cache because the > cache is full as soon as the resolver pulls down a new complete root zone.</t> > > (Suggestions for better wording are welcome!)
Or, as PaulW just pointed out to me offline, I might just be wrong. RFC 8806 puts a copy of the root zone in an authoritative service next to the resolver, not into the cache. Thus, priming the cache is still needed, it's just done much more locally. I have removed the paragraph proposed above, and replace it near the front of the document with: <t>Some systems serve a copy of the full root zone on the same server as the resolver, such as is described in <xref target="RFC8806"/>. In such a setup, the resolver primes its cache using the same methods as described in the rest of this document.</t> --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
