Thanks Paul, I use BIND, but am not an expert. Based on the discussion I will suggest some words and the experts can correct me:
Note: By using a separate view, the "recursive" view will do DNSSEC validation on the responses it receives from the "root" view, which is necessary for security. It will cache the answers, including the validation. Alternatively, if the root zone was loaded directly in the "recursive" view, then DNSSEC validation would not be done, as BIND would trust the zone. Then you would want to do separate validation on the zone during zone transfers. This might result in less caching and less time spent validating, but requires a more complex configuration. -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Thu, Nov 20, 2014 at 1:25 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On Nov 20, 2014, at 10:20 AM, Bob Harold <rharo...@umich.edu> wrote: > > I can see where "validate on zone transfer" would be a feature request. > And "validate everything" similarly. > > > > For the draft, could a small paragraph be added explaining the > difference between using a separate view for the root zone and just loading > it in the same view, so that people like me realize the tradeoffs before we > decide to implement the draft with what we might think is a minor > simplification, not realizing the impact? > > Yes, we can add this to the BIND example in the appendices. Given that I > kinda suck at BIND, proposed wording would cause less grief in the next > draft... > > --Paul Hoffman
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
