David, On 31/10/2025 11.38, David Malone wrote:
I'm just trying to map out all of the potential failure scenarios, and convince myself that this is "just as safe as before"...
Just one data point - I wrote a paper about the local root configuration that I presented at IMC in 2004.
https://conferences.sigcomm.org/imc/2004/papers/p15-malone.pdf
The results seemd to show a reasonable improvement in weird queries leaking out of my name server, so I've been using the local root configuration ever since, and I don't remember it causing any trouble in the last ~20 years. (Plus, the configuration is now easier.)
I've also been doing the same thing for "arpa", "in-addr.arpa", and "ip6.arpa" for a shorter period of time, with no problems.
I was wondering where you got in-addr.arpa and ip6.arpa around, and found out that ICANN provides those and a few more zones at servers set up for XFR: https://www.dns.icann.org/services/axfr/ Most of these are DNSSEC-signed (I think all of them except for root-servers.net). I wonder if we could convince ICANN to add ZONEMD to those zones as well... Cheers, -- Shane