[Yeti DNS Discuss] Yeti back to the future
jabley at hopcount.ca
Mon Oct 26 12:20:38 UTC 2015
On 26 Oct 2015, at 6:59, Stephane Bortzmeyer wrote:
> On Mon, Oct 26, 2015 at 11:34:44AM +0100,
> Shane Kerr <shane at biigroup.cn> wrote
> a message of 56 lines which said:
>> What we *could* do is to check that the root zone is valid on each
>> authority server. There is no provision in any existing DNS software
>> to do this automatically as part of the zone transfer process, but
>> it could be done via scripts or as a periodic (hourly?) audit
>> activity. It would not provide any additional safety for validating
>> resolvers, but it would help non-validating resolvers a bit.
> It seems a good idea and if someone has a student with some free time,
> this would be a cool project to start with DNS.
> I assume the "real" root already does it but I've never seen info
> about these checks. Anyone knows?
I know that no such checks were performed on F or L-Root while I was
involved with their operation.
There was talk once upon a time about ISI performing checks on B-Root,
but it was never clear whether they were talking about making sure they
had the opportunity to carry out such checks or whether they were
actually doing them.
My sense is that all root server operators today trust the channel
authentication afforded by the use of TSIG, the truncation protection
inherent in AXFR (checking for the trailing SOA RRSet) and do no other
checking. This may well be a natural consequence of the public
commitment made by all root servers to publish what they are given,
promptly, without modification (if you did carry out checks, and you
must be prompt and you can't modify, then I guess you publish anyway, so
why bother checking).
More information about the discuss