What about something like this:
When using BIND, or other software that can act as both a recursive and
authoritative server in the same instance, there is a tradeoff between
using a separate view (or separate instance) for slaving the root zone,
versus slaving the zone into the same view (or instance) where the
recursion is occurring.
Using a separate view/instance has the advantage that when the recursor
is also performing DNSSEC validation that the DS records in the slaved
zone will also be validated. In BIND this validation does not occur when
the zone is slaved into the same view/instance where the
recursion/validation is occurring.
Slaving the zone into the same view/instance as the recursion has the
advantage that when changes happen to the data in the zone the recursive
view/instance will be updated as soon as it receives its copy of the
zone. When using a separate view for slaving the zone the recursive
instance will cache all of the queries it looks up. Currently the TTL
for DS and delegation NS records is 2 days.
On 11/20/14 10:52 AM, Bob Harold wrote:
Thanks Paul,
I use BIND, but am not an expert. Based on the discussion I will
suggest some words and the experts can correct me:
Note: By using a separate view, the "recursive" view will do DNSSEC
validation on the responses it receives from the "root" view, which
is necessary for security. It will cache the answers, including the
validation.
Alternatively, if the root zone was loaded directly in the
"recursive" view, then DNSSEC validation would not be done, as BIND
would trust the zone. Then you would want to do separate validation
on the zone during zone transfers. This might result in less
caching and less time spent validating, but requires a more complex
configuration.
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu <mailto:rharo...@umich.edu>
734-647-6524 desk
On Thu, Nov 20, 2014 at 1:25 PM, Paul Hoffman <paul.hoff...@vpnc.org
<mailto:paul.hoff...@vpnc.org>> wrote:
On Nov 20, 2014, at 10:20 AM, Bob Harold <rharo...@umich.edu
<mailto:rharo...@umich.edu>> wrote:
> I can see where "validate on zone transfer" would be a feature request. And
"validate everything" similarly.
>
> For the draft, could a small paragraph be added explaining the difference
between using a separate view for the root zone and just loading it in the same
view, so that people like me realize the tradeoffs before we decide to implement
the draft with what we might think is a minor simplification, not realizing the
impact?
Yes, we can add this to the BIND example in the appendices. Given
that I kinda suck at BIND, proposed wording would cause less grief
in the next draft...
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
