Re: [DNSOP] Adding more example configurations to draft-ietf-dnsop-7706bis

Michał Kępień <michal@isc.org> Tue, 19 February 2019 11:54 UTC

Return-Path: <michal@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9D7130EA1 for <dnsop@ietfa.amsl.com>; Tue, 19 Feb 2019 03:54:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.921
X-Spam-Level:
X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6XzlT7Ufh_v for <dnsop@ietfa.amsl.com>; Tue, 19 Feb 2019 03:54:42 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67A8130E77 for <dnsop@ietf.org>; Tue, 19 Feb 2019 03:54:42 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E33663AB03B; Tue, 19 Feb 2019 11:54:41 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id AF19616005C; Tue, 19 Feb 2019 11:54:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 99A5F160067; Tue, 19 Feb 2019 11:54:41 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id WZtpHJi8FTia; Tue, 19 Feb 2019 11:54:41 +0000 (UTC)
Received: from larwa.hq.kempniu.pl (unknown [212.180.223.213]) by zmx1.isc.org (Postfix) with ESMTPSA id D457E16005C; Tue, 19 Feb 2019 11:54:40 +0000 (UTC)
Date: Tue, 19 Feb 2019 12:54:36 +0100
From: =?utf-8?B?TWljaGHFgiBLxJlwaWXFhA==?= <michal@isc.org>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20190219115435.GA4768@larwa.hq.kempniu.pl>
References: <47597960-3D11-4007-947D-19DBC7AF2BAC@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <47597960-3D11-4007-947D-19DBC7AF2BAC@icann.org>
User-Agent: Mutt/1.11.3 (2019-02-01)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qrxW02aaCSTwolRiTn8QQLS_Xwc>
Subject: Re: [DNSOP] Adding more example configurations to draft-ietf-dnsop-7706bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 11:54:45 -0000

Hi Paul,

Apologies for being late to the party.

> I have seen messages in the past few months about some vendors adding 7706, or 7706-like, support to recent versions of their resolvers. It would be grand if those of you who have shipping implementations of this could send the configuration steps to the list so we can add them to the appendix.

BIND 9.14, i.e. the upcoming stable BIND release, will ship with a
feature called mirror zones which facilitates setting up a local,
DNSSEC-validated copy of the root zone.

As of the currently available BIND 9.13.6 development release, a default
list of primary servers for the IANA root zone is built into named and
thus its mirroring can be enabled using the following configuration
snippet:

    zone "." {
        type mirror;
    };

(The above snippet is intended to be used instead of the example BIND
configuration provided in Appendix B to RFC 7706, not in addition to
it.)

Chapter 5 of the BIND 9 ARM discusses how mirror zones work in more
detail:

    https://bind.isc.org/doc/arm/9.13/Bv9ARM.ch05.html#zone_types

Please let me know if anything above is unclear.

-- 
Best regards,
Michał Kępień