Re: 1.7.3 - root zone transfer and resolving SLD of delegated TLD

[ѽ҉ᶬḳ℠ via Unbound-users]

the following configuration is known to work with unbound 1.8.x Seems it does not make a difference whether it is 1.7.3 or 1.8.x auth-zone: name: "." The syntax "" for name: is not stipulated in the online documentation, that is for auth-zone:. Why is it being used then? unbound-checkconf does not report an error either way, i.e. whether it reads name: "." or name: ., and the outcome of the query is the same. for-downstream: no That does not make sense to me considering the purpose of transferring the root zone->  "If enabled, unbound serves authority responses to downstream clients for this zone.  This  option  makes  unbound behave, for the queries with names in this zone, like one of the authority servers for that  zone." Setting it to no is defeating that purpose as a query does not resolve the SLD either: # dig bbc.com ; <<>> DiG 9.11.2-P1 <<>> bbc.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34029 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbc.com.                       IN      A ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Oct 28 18:40:37 CET 2018 ;; MSG SIZE  rcvd: 36 for-upstream: yes According to the online documentation this is a default setting and thus redundant to my understanding. fallback-enabled: yes Only then the SLD resolves but that renders the transfer of the root zone redundant, i.e. means there is no apparent benefit/advantage of having a local the root zone with its delegated TLDs. The purpose of featuring a local copy of the root zone was that TLD queries are served locally rather than generating upstream queries to the NS of the TLD and thus mitigating the amount of upstream queries to authoritative servers and speed up lookups but also to enhance privacy for client queries.