On Thu, Oct 30, 2025 at 5:51 PM, Randy Bush <randy@psg.com> wrote:

ray, i know you mean well, and it's not your fault, but ...

could i convince you to put up a web page with the recipes for the half dozen prominent resolvers with this hack and one or two others?

The BIND instructions are in RFC 8806, as are those for some other resolvers that support this.

There are caveats:

- allowing AXFR of the root is something that some root operators do, but it is not a formal service offering. Any (or all) of them could withdraw it at any point.

- you'll want to have really good monitoring in place to make sure your transfers are succeeding

- without NOTIFY you might miss urgent root zone updates, e.g. in the case of an urgent TLD key roll

- you might also want to use ZONEMD to check that the zone is correct.

in case you did not notice, you left *simple* a few turns back. oh right, this is the dns (see my 2000 rant that dns anti-simplicity [0]).

would you care to put up a web page with the recipe(s) for doing all this? oh, you say there are 42 platforms and at least three ways to do each on any given platform?



Hi,

There are a few options — one of these is to register your server with ISI's LocalRoot project (https://localroot.isi.edu/) — that will generate config for you, allow you to setup TSIG if you want it, get notifies, etc.

If you don't want to do that: 
BIND — from BIND documentation for mirror zones
zone "." {
       type mirror;
   };


Knot - from Knot Resolver Cache refilling
modules.load('prefill')
prefill.config({
       ['.'] = {
               url = 'https://www.internic.net/domain/root.zone',
               interval = 86400  -- seconds
               ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional
       }
})

Unbound - from: Unbound Authority Zone Options
auth-zone:
     name: "."
     url: "https://www.internic.net/domain/root.zone"
     zonefile: "root.zone"
           fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: "root.zone"
     prefetch: yes



There are from a lightning talk that I did at the ICANN meeting last week: 
Slides: https://slides.com/wkumari/code?token=J6TlZ0Yu (note: the first many are very much background, and, as with most lightning talks, made more sense with someone talking through it…)

They are also included in: https://datatracker.ietf.org/doc/draft-wkumari-dnsop-localroot-bcp/ (note: we still need to add a bunch of text on priming and fetching by address, etc.).

W



and then we wonder why there is such a mess?

randy

[0] The DNS Today Are we Overloading the Saddlebags on an Old Horse? https://archive.psg.com/001213.ietf-dns.pdf
it even predates magenta comic sans :)
-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/dns-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/