Validating zones as a slave? (Fw: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt)

Tony Finch dot at dotat.at
Tue Sep 15 11:17:35 UTC 2015


Shane Kerr <shane at time-travellers.org> wrote:
>
> I was looking at the latest revision of the root loopback draft and it
> occurred to me that one possible issue is that the BIND 9
> authoritative server here has some risk of downloading an invalid root
> file.
>
> I realize that the chances are quite slim that any of the IP addresses
> would ever provide anything other than the latest version of the root,
> but it is not 100% impossible.

If you are a stealth secondary then your zone transfers can be fairly
trivially modified in transit.

> I wonder if it makes sense to add some sort of provision like this to
> BIND 9? It seems like it could be generally useful for a slave server
> to reject a zone from a master that fails DNSSEC validation.

An alternative is to be a stealth master. Use a cron job to retransfer the
zone with dig, run dnssec-verify, and if it works update named's copy of
the zone. But this is fiddly to set up.

My toy server uses Mark's trick of secondarying the root zone to an
authoritative view, and having a static-stub root zone in the recursive
view. If the zone gets corrupted in transit then validation will fail and
recursive service will stop working.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
moderate, but rough in southwest Viking. Showers later. Good, occasionally
poor later.


More information about the bind-workers mailing list