Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

So I have adjusted the configuration on my workstation's name server to include the global root servers (for robustness) as well as a local stealth slave (for low latency). Here's a count of queries directed at the root zone and the servers chosen to handle them. I wonder how different it would be

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Paul Vixie wrote: > > um. "type forward" is a possible zone type in bind9. we do it when we > deliver DNS RBL policy zones. i was not talking about the kind of > forwarding used for recursive service. Yes, I know that. "type forward" does not work if the server you are forwarding to is authoritat

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

> Tony Finch > Wednesday, November 12, 2014 7:30 AM > Paul Vixie wrote: >> that's either an argument for listing multiple servers, the first being >> on the loopback, the other(s) being real global root name servers; > > That would probably work. > >> or, instead of tellin

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Paul Vixie wrote: > > that's either an argument for listing multiple servers, the first being > on the loopback, the other(s) being real global root name servers; That would probably work. > or, instead of telling bind9 "forward only", tell it "forward first". That would not work: you can't for

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

> Tony Finch > Wednesday, November 12, 2014 7:13 AM > Paul Vixie wrote: >>> With normal DNSSEC validation, resolvers have a way to recover from data >>> corruption. With this local root zone proposal they do not. >> i seem to have missed a step. why? > > If a validating re

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Paul Vixie wrote: > > it's not the case, period. the root zone happens to be transferred using > TSIG keys between the verisign distribution servers and the root > publication servers. but for most dnssec-secured zones there is no TSIG. That surprises me. > > With normal DNSSEC validation, resol

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

> Tony Finch > Wednesday, November 12, 2014 2:05 AM > > Right, but DNSSEC usually assumes that the zone transfers themselves are > authenticated, so they can't be corrupted in transit. no. > This is not the case for local root zones. it's not the case, period. the root z

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Paul Vixie wrote: > > I thought the idea of validating the zone transfer before putting the zone > > live was interesting. > > this is something deliberately left out of the dnssec design, because it > doesn't obviate validation by query initiators of the underlying data. Right, but DNSSEC usual

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

> Tony Finch > Tuesday, November 11, 2014 1:07 PM > > ... > > I thought the idea of validating the zone transfer before putting the zone > live was interesting. this is something deliberately left out of the dnssec design, because it doesn't obviate validation by query ini

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

On Tue, Nov 11, 2014 at 02:43:02PM -0500, Bob Harold wrote: > Thanks, but what about the case where the zone transfers are refused and > the root zone expires? My server is still running, but cannot answer for > the root zone. That's a case where I want it to fail over to the real > roots. If th

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Paul Hoffman wrote: > Greetings again. Based on some great input from Evan Hunt, we have > updated our draft. The algorithm is both simpler and easier to > configure. In fact, we have examples of how to configure BIND and > Unbound/NSD to match the new spec. I have been running with a similar co

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

On Tue, Nov 11, 2014 at 2:15 PM, Evan Hunt wrote: > > This sounded good until "Note that using this configuration will cause > the > > recursive resolver to fail if the local root zone server fails." Could I > > use "forward first" instead of "static-stub" so that it would fall back > to > > the

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

> This sounded good until "Note that using this configuration will cause the > recursive resolver to fail if the local root zone server fails." Could I > use "forward first" instead of "static-stub" so that it would fall back to > the normal root servers if the local root server could not get zone

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

This sounded good until "Note that using this configuration will cause the recursive resolver to fail if the local root zone server fails." Could I use "forward first" instead of "static-stub" so that it would fall back to the normal root servers if the local root server could not get zone transfe

[DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

Greetings again. Based on some great input from Evan Hunt, we have updated our draft. The algorithm is both simpler and easier to configure. In fact, we have examples of how to configure BIND and Unbound/NSD to match the new spec. We'll be talking about the new draft in today's meeting. --Paul