[Yeti DNS Discuss] 答复: Several trust anchors for the root?
ljsong at biigroup.cn
Fri May 5 02:21:14 UTC 2017
(I found this mail in my junk mailbox). I think it is interesting. We do
have a similar test in BII lab. The idea is simple and intuitive: how a Yeti
resolver can be fed both from IANA and Yeti root servers. Not by hacking the
DNS software, we try two workarounds.
One is to compose a hint file with one(or two) dedicated server. The
dedicated server host a root zone similar with Yeti root zone but the NS
record of apex containing 13 IANA root +25 Yeti root + dedicated server. An
iptable rule is added in the resolver to block all priming queries(NS query
for ".") except for the query against dedicated server. This approach is
workable as a load-balance mechanism. The resolver still use Yeti's KSK to
Another approach is to configure a cache and forwarder. The upstream are two
additional instances who are IANA resolver and Yeti resolver respectively.
The two instance can be deployed with Physical machines, or VMs, or threads
, or views of BIND.
If we would like to change the trust anchor model from DNS -based model to a
certificate-based model like Web, we need to hack the DNS a little bit.
Well, it's bold and sounds like an opposing direction of DANE.
> 发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Stephane
> 发送时间: 2017年4月1日 23:08
> 收件人: discuss at lists.yeti-dns.org
> 主题: [Yeti DNS Discuss] Several trust anchors for the root?
> Did anyone try to have both IANA and Yeti trust anchors in their resolver?
> Anything special to report? Specially when RFC 5011 does things?
> I'm asking the question because I would like to have a Yeti resolver on a
> machine which sometimes travel to IPv4-only networks, thus preventing me
> using Yeti. I would like to swap roots, and I would prefer to have only
> to do, changing the hints.
> discuss mailing list
> discuss at lists.yeti-dns.org
More information about the discuss