Mark Andrews wrote:
> In message <20131128000148.ga20...@mycre.ws>, Robert Edmonds writes:
> > i'm curious as to exactly what this root zone slaved resolver
> > configuration looks like and how it would behave. i don't believe i've
> > ever set up a resolver like that before.
>
> zone "." IN {
> type slave;
> file "slave/root";
> masters { 192.5.5.241; };
> notify no;
> };
>
> > if i understand things right, this config could only be achieved with
> > particular resolver implementations that combine authoritative and
> > recursive service into the same server, and the only implementation i
> > know of that does that is BIND 9. i believe unbound, powerdns, BIND 10,
> > djbdns, etc. are all either recursive only, or split recursive and
> > authoritative service into separate daemons, afaik. but i'm not
> > familiar with any of the closed source implementations.
> >
> > if such a config is possible, how is it supposed to work with DNSSEC?
> > if the DNS server loads a bad copy of the root zone somehow during an
> > AXFR, does it use its configured root trust anchor to determine that its
> > copy of the zone doesn't validate, or does the act of configuring the
> > root zone as an authoritative zone make it more trustworthy, thus
> > overriding the need to do DNSSEC validation at the root level?
>
> You can do stuff like this (cut-and-pasted from a live config).
>
> managed-keys {
> . initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
>
> view "secure" {
> match-clients { localnets; };
> match-recursive-only yes;
> zone . {
> type static-stub;
> server-addresses { 127.0.0.1; };
> };
> };
>
> view "external" {
> match-clients { localnets; };
> recursion no;
> allow-recursion { none; };
>
> zone "." IN {
> type slave;
> file "slave/root";
> masters { 192.5.5.241; };
> notify no;
> };
> };
>
> The same trick can be used to validate data from other zones that
> are locally served.
so, just to be clear, this config snippet alone:
zone "." IN {
type slave;
file "slave/root";
masters { 192.5.5.241; };
notify no;
};
is not sufficient if one wants to both slave and validate the root zone?
this snippet will bypass DNSSEC validation if configured into a
recursive server?
--
Robert Edmonds
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
