On Mon, Nov 10, 2014 at 07:03:40PM +0800, Davey Song wrote: > There is a test we have done to implement and verify the idea of Loopback > server according to the draft (draft-wkumari-dnsop-root-loopback-00). There > are some findings and questions which you guys can help us to address.
Your implementation is problematic in several ways, most notably that it involves adding an additional record to the root NS RRset, which will cause DNSSEC-validating clients to fail. A better approach is to leave the root zone intact and use a static-stub zone in the resolver, which redirects all traffic for a specified zone (in this case the root) to a particular server or set of servers. Attached is a sample named.conf configuration which implements this using a "root" view for the root zone slave, and a "recursive" view for recursion. DNSSEC validation works correctly and the root zone will sync correctly. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
