Local Slave copy of root zone

Tony Finch dot at dotat.at
Mon Aug 20 11:23:57 UTC 2018

Doug Barton <dougb at dougbarton.us> wrote:
> How, specifically, is DNSSEC affected by the validating resolver having a
> local copy of the root zone?

If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is more

The new mirror zone code validates the root zone before installing it,
which at least allows it to detect a problem; I have not examined it
closely enough to see how hard it tries to recover by xfering the zone
from a different root server, or if it just falls back to normal

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Westerly, backing
southerly later, 4 or 5, occasionally 6 later in Fair Isle. Moderate,
occasionally slight. Showers then rain. Good, becoming moderate or poor.

More information about the bind-users mailing list