Validating zones as a slave? (Fw: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt)
Shane Kerr
shane at time-travellers.org
Wed Sep 16 11:42:02 UTC 2015
Paul,
On Wed, 16 Sep 2015 03:52:21 -0700
Paul Vixie <paul at redbarn.org> wrote:
>
>
> Shane Kerr wrote:
> > ...
> >
> > The model does prevent incorrect answers from reaching clients, but as
> > you point out, validation failure means the service will stop working.
>
> that's what dnssec does.
>
> that is in fact all that dnssec can do.
>
> what behaviour would you have instead?
Reject that XFR and try a different master.
Or if you have no master willing to give you a zone that you can
validate, reject those XFR and schedule another XFR "soon", with the
hope that whatever is breaking the zone will get fixed.
Cheers,
--
Shane
More information about the bind-workers
mailing list