Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback

[Doug Barton <dougb@dougbarton.us>]

What about something like this:

When using BIND, or other software that can act as both a recursive and 
authoritative server in the same instance, there is a tradeoff between 
using a separate view (or separate instance) for slaving the root zone, 
versus slaving the zone into the same view (or instance) where the 
recursion is occurring.

Using a separate view/instance has the advantage that when the recursor 
is also performing DNSSEC validation that the DS records in the slaved 
zone will also be validated. In BIND this validation does not occur when 
the zone is slaved into the same view/instance where the 
recursion/validation is occurring.

Slaving the zone into the same view/instance as the recursion has the 
advantage that when changes happen to the data in the zone the recursive 
view/instance will be updated as soon as it receives its copy of the 
zone. When using a separate view for slaving the zone the recursive 
instance will cache all of the queries it looks up. Currently the TTL 
for DS and delegation NS records is 2 days.


On 11/20/14 10:52 AM, Bob Harold wrote:
> Thanks Paul,
>     I use BIND, but am not an expert.  Based on the discussion I will
> suggest some words and the experts can correct me:
>
>     Note:  By using a separate view, the "recursive" view will do DNSSEC
>     validation on the responses it receives from the "root" view, which
>     is necessary for security.  It will cache the answers, including the
>     validation.
>
>     Alternatively, if the root zone was loaded directly in the
>     "recursive" view, then DNSSEC validation would not be done, as BIND
>     would trust the zone.  Then you would want to do separate validation
>     on the zone during zone transfers.  This might result in less
>     caching and less time spent validating, but requires a more complex
>     configuration.
>
>
>
>
> --
> Bob Harold
> hostmaster, UMnet, ITcom
> Information and Technology Services (ITS)
> rharolde@umich.edu <mailto:rharolde@umich.edu>
> 734-647-6524 desk
>
> On Thu, Nov 20, 2014 at 1:25 PM, Paul Hoffman <paul.hoffman@vpnc.org
> <mailto:paul.hoffman@vpnc.org>> wrote:
>
>     On Nov 20, 2014, at 10:20 AM, Bob Harold <rharolde@umich.edu
>     <mailto:rharolde@umich.edu>> wrote:
>     > I can see where "validate on zone transfer" would be a feature request.  And "validate everything" similarly.
>     >
>     > For the draft, could a small paragraph be added explaining the difference between using a separate view for the root zone and just loading it in the same view, so that people like me realize the tradeoffs before we decide to implement the draft with what we might think is a minor simplification, not realizing the impact?
>
>     Yes, we can add this to the BIND example in the appendices. Given
>     that I kinda suck at BIND, proposed wording would cause less grief
>     in the next draft...
>
>     --Paul Hoffman
>
>