Local Slave copy of root zone

Grant Taylor gtaylor at tnetconsulting.net
Mon Aug 20 16:00:48 UTC 2018

On 08/20/2018 05:23 AM, Tony Finch wrote:
> If the local root zone gets corrupted somehow (maliciously or otherwise) 
> the usual setup cannot detect a problem, but it'll cause DNSSEC validation 
> failures downstream. The normal resolver / validator algorithm is 
> more robust.
> The new mirror zone code validates the root zone before installing 
> it, which at least allows it to detect a problem; I have not examined 
> it closely enough to see how hard it tries to recover by xfering the 
> zone from a different root server, or if it just falls back to normal 
> resolution.

Thank you for that explanation.  It explains why it's potentially 
dangerous to blindly slave the root zone for general use by clients on a 
local recursive resolver.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180820/7d8d915f/attachment.bin>

More information about the bind-users mailing list