Tony Finch <d...@dotat.at> writes: > Ray Bellis <r...@bellis.me.uk> wrote: >> >> I'd like to see examples of configurations where the local root copy >> *isn't* on the same host. > > It's basically the same as the examples in RFC 7706, but you use the other > host's address instead of 127.12.12.12. RFC 7706 even says, > > The examples here use a loopback address of 127.12.12.12, but typical > installations will use 127.0.0.1. The different address is used in > order to emphasize that the root server does not need to be on the > device at "localhost".
This might be just me, but I find that paragraph very confusing. 127.12.12.12 is just as unroutable as 127.0.0.1, and must therefore belong to the local host. And "localhost" as in the DNS name makes no sense at all in this context. When it comes to using 127.0.0.1 for this purpose, I believe you should recommend some caution. It's not uncommon to stick "nameserver 127.0.0.1" into the /etc/resolv.conf on recursive servers. And many admin fingers will automatically type "dig @127.0.0.1" when they want to query the local server. This will give unexpected results if you put a non-recursive view on that address. I'd also like to repeat my previous comment on the BIND example config: Configuring a "static-stub" root zone has some unexpected consequences. It makes the server refuse non-recursive queries for root instead of redirecting. Not a big problem, but it does make "dig +trace" fail with such a server as starting point. It would be nice to see this issue discussed in the RFC, including justification of the "static-stub" zone type. The reason for that choice is not obvious. To me, at least. Bjørn _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
