Local Slave copy of root zone

Doug Barton dougb at dougbarton.us
Tue Aug 21 05:06:20 UTC 2018

On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote:
> On 08/20/2018 05:23 AM, Tony Finch wrote:
>> If the local root zone gets corrupted somehow (maliciously or 
>> otherwise) the usual setup cannot detect a problem, but it'll cause 
>> DNSSEC validation failures downstream. The normal resolver / validator 
>> algorithm is more robust.
>> The new mirror zone code validates the root zone before installing it, 
>> which at least allows it to detect a problem; I have not examined it 
>> closely enough to see how hard it tries to recover by xfering the zone 
>> from a different root server, or if it just falls back to normal 
>> resolution.
> Thank you for that explanation.  It explains why it's potentially 
> dangerous to blindly slave the root zone for general use by clients on a 
> local recursive resolver.

No, it doesn't do that at all. It may be true that the new mirror zone 
code does awesome things to make sure that the slaved zone is identical 
to the master's, I don't know, I haven't seen it.

But that doesn't mean that slaving a zone, any zone, including the root, 
is "dangerous." If slaving zones is dangerous, the DNS is way more 
fragile than it already is.

The DNSSEC validation errors that Tony references are self-healing, in 
that if the validating resolver stops validating things, the operator is 
hopefully going to notice that, and take steps to fix it. And I have 
always said that you should not be slaving the root unless you already 
have a good mechanism for making sure that said slaving isn't failing. 
(In other words, don't go into this, or any other configuration blind.)

I am certainly open to the new mirror zone software doing awesome 
things, don't get me wrong. But don't call something "dangerous" that 
lots of people have already been using successfully for over 15 years.

More information about the bind-users mailing list