[DNSOP] Re: New Draft on DNS Resolver Security

Sun, 18 Jan 2026 17:20:27 -0800 

Dear Ondrej,


   Just like RFC 8806, a simple local configuration in bind for building local 
mirror of root server as fellows,
BIND 9.14 can set up a local mirror of the root zone with a small
   configuration option:


   zone "." {
       type mirror;
   };


 this document describes a simple configuration method in BIND to directlly 
query a local authoritative server the resolver trusts.
The function of this configuration method is similar to RFC 8806, it can 
effectively shorten the query path of recursive servers. thus avoiding attacks 
from higher-level authoritative servers.


Best Regards
Bin


> -----原始邮件-----
> 发件人: "Ondřej Surý" <[email protected]>
> 发送时间:2026-01-18 22:00:51 (星期日)
> 收件人: 张宾 <[email protected]>
> 抄送: [email protected]
> 主题: Re: [DNSOP] New Draft on DNS Resolver Security
> 
> Hi,
> 
> I don't understand the purpose of this document and why it should be an 
> Internet Standard.
> 
> The document describes static-stub in BIND 9 and Unbound and doesn't seem to 
> bring
> anything new to the table. I might have missed something, but I don't see a 
> reason why
> this needs to be an Informational RFC.
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> [email protected]
> 
> > On 14. 1. 2026, at 9:13, 张宾 <[email protected]> wrote:
> > 
> > Dear Chairman,
> > 
> >  My name is Bin Zhang. Our team recently submitted one Internet-Drafts.
> > 
> >    This draft provides a  technique for querying the designated 
> > authoritative server directly on the recursive server at the enterprise 
> > level. 
> > . 
> >    The goal of this draft is to help implementers of some enterprises make 
> > their resolvers more secure. 
> > 
> >     • Link: draft-zhang-dnsop-zb-01 - A Technique for Querying the 
> > Designated Authoritative Server Directly on the Recursive Server at the 
> > Enterprise Level
> > 
> > We believe these drafts fill important gaps in DNS security. We will attend 
> > IETF 125 in Shenzhen and look forward to discussing these topics with the 
> > working group.
> > 
> > We welcome any feedback on the mailing list.
> > 
> > Best regards,
> > Bin Zhang
> > Pengcheng Lab
> > 
> > _______________________________________________
> > DNSOP mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> 
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to