[Yeti DNS Discuss] Yeti back to the future

Joe Abley jabley at hopcount.ca
Mon Oct 26 12:20:38 UTC 2015



On 26 Oct 2015, at 6:59, Stephane Bortzmeyer wrote:

> On Mon, Oct 26, 2015 at 11:34:44AM +0100,
> Shane Kerr <shane at biigroup.cn> wrote
> a message of 56 lines which said:
>
>> What we *could* do is to check that the root zone is valid on each
>> authority server. There is no provision in any existing DNS software
>> to do this automatically as part of the zone transfer process, but
>> it could be done via scripts or as a periodic (hourly?) audit
>> activity. It would not provide any additional safety for validating
>> resolvers, but it would help non-validating resolvers a bit.
>
> It seems a good idea and if someone has a student with some free time,
> this would be a cool project to start with DNS.
>
> I assume the "real" root already does it but I've never seen info
> about these checks. Anyone knows?

I know that no such checks were performed on F or L-Root while I was 
involved with their operation.

There was talk once upon a time about ISI performing checks on B-Root, 
but it was never clear whether they were talking about making sure they 
had the opportunity to carry out such checks or whether they were 
actually doing them.

My sense is that all root server operators today trust the channel 
authentication afforded by the use of TSIG, the truncation protection 
inherent in AXFR (checking for the trailing SOA RRSet) and do no other 
checking. This may well be a natural consequence of the public 
commitment made by all root servers to publish what they are given, 
promptly, without modification (if you did carry out checks, and you 
must be prompt and you can't modify, then I guess you publish anyway, so 
why bother checking).


Joe


More information about the discuss mailing list