Moin! On 08 Jul 2014, at 17:14, Tony Finch <d...@dotat.at> wrote:
> Ralf Weber <d...@fl1ger.de> wrote: >> >> I think if we think of the resolver having another auth root server at >> localhost the logic is easier to understand makes much more sense as >> DNSSEC protections would kick in even if someone managed to inject a bad >> zone. > > I think that is too simplistic: simply slaving the root zone doesn't give > you any good way to detect or recover from a corrupted zone transfer. By > the time normal DNSSEC validation has detected any problems it is too > late. Why you can still use 13 other real root servers to try from. And once this is know you just can tell the auth server portion to slave the zone again. But granted a validation after the transfer would be a good thing. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
