[Yeti DNS Discuss] 答复: 转发: [dns-operations] Domain Name System without Root Servers
ljsong at biigroup.cn
Mon Oct 16 06:28:37 UTC 2017
Oh thank you. I just figure out that for each zone, it can be assigned with
a specific TA (BIND for example) using trusted-keys Statement. Normally we
only specify TA for Root "."
In this case, it requires each resolver cache all the Zone file and update
it, right? So they do not need any hint file. But I have more radical idea
that TLD operator can append Non-apex information of root zone to the TLD
zone. So the apt-in TLDs can claim that they are authoritative for that part
information , update it periodically and sign it with the TLDs' key. In that
case the TA of that TLD and TA of Root are the same. Does this sounds like a
> 发件人: 'Stephane Bortzmeyer' [mailto:bortzmeyer at nic.fr]
> 发送时间: 2017年10月11日 19:39
> 收件人: Davey Song
> 抄送: 'Stephane Bortzmeyer'; discuss at lists.yeti-dns.org
> 主题: Re: 转发: [dns-operations] Domain Name System without Root Servers
> On Wed, Oct 11, 2017 at 06:37:59PM +0800, Davey Song
> <ljsong at biigroup.cn> wrote a message of 61 lines which said:
> > As much as I understand:
> The way I understand it:
> > 1) The resolver can work with at least two trust anchors, right? One
> > TLD's KSK and IANA's KSK. If yes, it needs to change heavily the DNS
> > specification on resolver and the implementation.
> Why? All resolvers can do that (typically, the most specific TA is used).
> instance, today, a resolver in China may use the ICANN TA and the .cn TA,
> configuration, to be sure that .cn can be validated whatever ICANN does.
> does not change the DNS protocol.
> > 3) Is it necessary for TLD server to host root zone?
> > If there is no root zone hosted by TLD serve, how .com TLD server
> > resolve the request for .cn queries.
> It does not. The resolver queries the .cn servers for example.cn and the .
> servers for example.com. In a way, there is a root zone file in every
More information about the discuss