Local Slave copy of root zone

Michał Kępień michal at isc.org
Thu Aug 16 06:28:35 UTC 2018

> BIND 9.14 will have an improved local root implementation (called a
> "mirror" zone) which validates the zone so you don't blindly serve bogus
> data. The feature is available now in the 9.13 dev branch; I have not
> tried mirroring the arpa zones - the docs suggest that isn't a supported
> config for mirror zones.

The catch is that, as of current master, you would have to configure
trusted-keys/managed-keys for each zone you would like to mirror.  In
other words, the chain of trust from the root is currently not
established automatically when a mirror zone is validated.  This might
change in the future, but since the root zone is the primary use case
and a default trust anchor for the root zone is installed implicitly, I
would not hold my breath for it.

Best regards,
Michał Kępień

More information about the bind-users mailing list