this isn't about views, or bind. rfc 1034 directly contemplated a server that had both recursive and authoritative responsibilities and content. however, the specification was incomplete, and early BIND (everything before BIND9) got it wrong.
a short amendment to rfc 1034 stating that authoritative and recursive data should not be mixed in the same data structure, and that the RD bit of a query should control which data structure (recursive or authoritative) was searched, and giving specific fall-through conditions under which an RD=1 query could access authoritative data, would have fixed it. however, we (the whole dns community) were in a panic about the number of authority-data pollution events that had come from these "mixed mode" servers, and so there's now a general prohibition against "mixed mode" servers, even though BIND9 still supports it for backward compatibility with old BIND8 installations. DNSSEC was being worked on during these panicked times, and the general prohibition was very much top-of-mind, and as a result, mixed-mode DNSSEC servers containing both authoritative and recursive data, are unspecified. being unspecified is not always a death sentence, but in this case, it is. there is no way to truly validate a zone after an ixfr or axfr without performing some queries, to validate the chain all the way back to a trust anchor. however, an authority server is not required in DNSSEC to ever make queries, or to have any trust anchors installed. so, the best an authoritative-only DNSSEC server can do is integrity checking against a zone's own keys and signatures, but this leaves it open to a man-in-the-middle attack where someone uses ARP or IGP or EGP poison to hijack the master's address and then use the axfr protocol to send an entirely bogus yet entirely self-consistent zone. in other words the only DNSSEC server who could truly validate a zone's content after ixfr/axfr is a mixed-mode server, which has not been specified. so, mr. hoffman, the right text to cover this case would look like the following: "Note that there exist mixed-mode servers offering both authoritative and recursive service, but there is no current standard by which authoritative data is used for validation or returned in recursive queries in such a server. This document therefore specifies only the two-servers model, where root name service is provided by an authority server (subtype: stealth slave) running on the host's loopback network, and special configuration is used in that host's recursive name server to use this loopback authority server for DNS root queries. By implication, the validation of the content of this stealth-slave's root zone is entirely the responsibility of the co-hosted RDNS server. Any future revision to this specification which allows for mixed-mode DNS service will have the burden of explaining how the validation function is to be performed. Absent such specification, mixed-mode DNSSEC service is outside the scope of this document." i didn't enjoy mr. barton's freebsd stealth-roots-everywhere experiment, and this is one of the reasons why. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
