On 11/16/14 11:12 PM, Evan Hunt wrote:
On Sun, Nov 16, 2014 at 03:12:58PM -0800, Doug Barton wrote:
Before commenting further I'd love the authors to flesh
out their reasoning for not simply slaving the zone where possible.
I'm not one of the authors, but I can give you an answer: in BIND,
Doug Barton mailto:do...@dougbarton.us
Monday, November 17, 2014 2:16 PM
That seems like something that should be fixable in BIND, yes? (And
thanks for doing that testing, btw)
it's not broken. dnssec has no facility for validating data at slave
synchronization time (after each axfr or
On Mon, Nov 17, 2014 at 02:16:22PM -0800, Doug Barton wrote:
That seems like something that should be fixable in BIND, yes? (And
thanks for doing that testing, btw)
Yes, by using two views and slaving the root in one of them and validating
in the other one, like it recommends in the draft. :)
On 11/17/14 2:50 PM, Evan Hunt wrote:
On Mon, Nov 17, 2014 at 02:16:22PM -0800, Doug Barton wrote:
That seems like something that should be fixable in BIND, yes? (And
thanks for doing that testing, btw)
Yes, by using two views and slaving the root in one of them and validating
in the other
Nicholas,
On Nov 17, 2014, at 5:50 PM, Nicholas Weaver nwea...@icsi.berkeley.edu wrote:
Lookups to the root themselves should be rare, and the responses have very
long TTLs (48 hours!).
Lookups for names that do not exist are quite (one might say insanely) frequent
and the TTL less (Values
On Nov 17, 2014, at 5:50 PM, Nicholas Weaver nwea...@icsi.berkeley.edu wrote:
Trying to be polite here, but this seems just silly, and the only thing
really should be Don't Bother.
Root latency frankly speaking does not matter. Lookups to the root
themselves should be rare, and the
