Validating zones as a slave? (Fw: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt)

Shane Kerr shane at time-travellers.org
Tue Sep 15 06:37:30 UTC 2015 

All,

I was looking at the latest revision of the root loopback draft and it
occurred to me that one possible issue is that the BIND 9
authoritative server here has some risk of downloading an invalid root
file.

I realize that the chances are quite slim that any of the IP addresses
would ever provide anything other than the latest version of the root,
but it is not 100% impossible.

If you were to download the root file by hand then you could check the
DNSSEC signatures on it before loading it. For example, you could use
ldns-verify-zone or jdnssec-verify (I don't know of a utility that
ships with BIND 9).

I wonder if it makes sense to add some sort of provision like this to
BIND 9? It seems like it could be generally useful for a slave server
to reject a zone from a master that fails DNSSEC validation.

Cheers,

--
Shane 

Begin forwarded message:

Date: Mon, 14 Sep 2015 12:20:46 -0700
From: internet-drafts at ietf.org
To: <i-d-announce at ietf.org>
Cc: dnsop at ietf.org
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt



A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the Domain Name System
Operations Working Group of the IETF.

        Title           : Decreasing Access Time to Root Servers by
        Running One on Loopback Authors         : Warren Kumari
                          Paul Hoffman
	Filename        : draft-ietf-dnsop-root-loopback-04.txt
	Pages           : 11
	Date            : 2015-09-14

Abstract:
   Some DNS recursive resolvers have longer-than-desired round trip
   times to the closest DNS root server.  Some DNS recursive resolver
   operators want to prevent snooping of requests sent to DNS root
   servers by third parties.  Such resolvers can greatly decrease the
   round trip time and prevent observation of requests by running a copy
   of the full root zone on a loopback address (such as 127.0.0.1).
   This document shows how to start and maintain such a copy of the root
   zone that does not pose a threat to other users of the DNS, at the
   cost of adding some operational fragility for the operator.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-root-loopback/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-dnsop-root-loopback-04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-root-loopback-04


Please note that it may take a couple of minutes from the time of
submission until the htmlized version and diff are available at
tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

More information about the bind-workers mailing list