Local Slave copy of root zone
gtaylor at tnetconsulting.net
Mon Aug 20 16:00:48 UTC 2018
On 08/20/2018 05:23 AM, Tony Finch wrote:
> If the local root zone gets corrupted somehow (maliciously or otherwise)
> the usual setup cannot detect a problem, but it'll cause DNSSEC validation
> failures downstream. The normal resolver / validator algorithm is
> more robust.
> The new mirror zone code validates the root zone before installing
> it, which at least allows it to detect a problem; I have not examined
> it closely enough to see how hard it tries to recover by xfering the
> zone from a different root server, or if it just falls back to normal
Thank you for that explanation. It explains why it's potentially
dangerous to blindly slave the root zone for general use by clients on a
local recursive resolver.
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users