Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

"Paul Hoffman" <paul.hoffman@vpnc.org> Fri, 07 April 2017 15:11 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01743127333 for <dnsop@ietfa.amsl.com>; Fri, 7 Apr 2017 08:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZWCrv-TzRI4 for <dnsop@ietfa.amsl.com>; Fri, 7 Apr 2017 08:11:36 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5EC41270A0 for <dnsop@ietf.org>; Fri, 7 Apr 2017 08:11:35 -0700 (PDT)
Received: from [10.32.60.173] (142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v37FBI1v050477 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 7 Apr 2017 08:11:21 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176] claimed to be [10.32.60.173]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "=?utf-8?q?Bj=C3=B8rn?= Mork" <bjorn@mork.no>
Cc: dnsop@ietf.org
Date: Fri, 07 Apr 2017 08:11:37 -0700
Message-ID: <AFCE41B3-DC39-4FD3-A93D-9E49FEB51A92@vpnc.org>
In-Reply-To: <87vaqgob3y.fsf@miraculix.mork.no>
References: <87inmhrjpx.fsf@miraculix.mork.no> <2448193.4rPzoQ60ob@linux-hs2j> <f321b974-2149-478d-9b63-a19d10ed013e@Spark> <1560750.L0Fn6CvLxk@linux-hs2j> <8760igpr2n.fsf@miraculix.mork.no> <20170407082326.GH17910@server.ds9a.nl> <87vaqgob3y.fsf@miraculix.mork.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QUx7amDBABBCP30acucRM_BlxHU>
Subject: Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 15:11:39 -0000

On 7 Apr 2017, at 1:50, Bjørn Mork wrote:

> bert hubert <bert.hubert@powerdns.com> writes:
>> On Fri, Apr 07, 2017 at 10:20:00AM +0200, Bjørn Mork wrote:
>>> Just to avoid any confusion: Although I demonstrated the issue by
>>> running BIND on my laptop only, the real usage scenario is resolver
>>> service for a few million distinct administrative domains (aka
>>> "customers").  Changing the trust anchor is not an option.
>>
>> Perhaps https://lists.isc.org/mailman/listinfo/bind-users is a great 
>> place
>> to discuss BIND configurations and issues.
>
> Definitely.  Or even bind-workers when it comes to questions about the
> reason for making static-stub zones recursive only.
>
> The reason I ask here first, is because RFC 7706 includes a BIND
> specific configuration example (as well as examples for other 
> recursive
> server software).  So before considering changing config or code, I
> wanted to know the background of that example. Was there a real reason
> for the obscure(?)  "static-stub" zone type, or was that just an
> arbitrary choice?
>
> My apologies if this is considered OT here. I will shut up now.

The contents of an RFC that went through this WG is not off-topic. 
Please do not shut up. (The fact that some people took your original 
message into "how to fix it in BIND" instead of your original topic is 
not relevant.)

See the archives of this mailing list starting around November 11, 2014, 
in the thread titled "New Version Notification for 
draft-wkumari-dnsop-root-loopback-01.txt".

--Paul Hoffman