RFC Errata


Errata Search
 
Source of RFC  
Summary Table Full Records

RFC 8806, "Running a Root Server Local to a Resolver", June 2020

Source of RFC: dnsop (ops)
See Also: RFC 8806 w/ inline errata

Errata ID: 8634
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Petr Špaček
Date Reported: 2025-11-14
Verifier Name: Mohamed BOUCADAIR
Date Verified: 2025-11-17

Section B.1 says: 

view root {
    match-destinations { 127.12.12.12; };
    zone "." {
        type slave;
        file "rootzone.db";
        notify no;
        masters {
            199.9.14.201;         # b.root-servers.net
            192.33.4.12;          # c.root-servers.net
            199.7.91.13;          # d.root-servers.net
            192.5.5.241;          # f.root-servers.net
            192.112.36.4;         # g.root-servers.net
            193.0.14.129;         # k.root-servers.net
            192.0.47.132;         # xfr.cjr.dns.icann.org
            192.0.32.132;         # xfr.lax.dns.icann.org
            2001:500:200::b;      # b.root-servers.net
            2001:500:2::c;        # c.root-servers.net
            2001:500:2d::d;       # d.root-servers.net
            2001:500:2f::f;       # f.root-servers.net
            2001:500:12::d0d;     # g.root-servers.net
            2001:7fd::1;          # k.root-servers.net
            2620:0:2830:202::132; # xfr.cjr.dns.icann.org
            2620:0:2d0:202::132;  # xfr.lax.dns.icann.org
        };
    };
};

view recursive {
    dnssec-validation auto;
    allow-recursion { any; };
    recursion yes;
    zone "." {
        type static-stub;
        server-addresses { 127.12.12.12; };
    };
};

It should say:

// Warning:
// Error handling and transitional states of a server with this
// configuration do not conform to the requirements given in
// this document.

view root {
    match-destinations { 127.12.12.12; };
    zone "." {
        type slave;
        file "rootzone.db";
        notify no;
        masters {
            199.9.14.201;         # b.root-servers.net
            192.33.4.12;          # c.root-servers.net
            199.7.91.13;          # d.root-servers.net
            192.5.5.241;          # f.root-servers.net
            192.112.36.4;         # g.root-servers.net
            193.0.14.129;         # k.root-servers.net
            192.0.47.132;         # xfr.cjr.dns.icann.org
            192.0.32.132;         # xfr.lax.dns.icann.org
            2001:500:200::b;      # b.root-servers.net
            2001:500:2::c;        # c.root-servers.net
            2001:500:2d::d;       # d.root-servers.net
            2001:500:2f::f;       # f.root-servers.net
            2001:500:12::d0d;     # g.root-servers.net
            2001:7fd::1;          # k.root-servers.net
            2620:0:2830:202::132; # xfr.cjr.dns.icann.org
            2620:0:2d0:202::132;  # xfr.lax.dns.icann.org
        };
    };
};

view recursive {
    dnssec-validation auto;
    allow-recursion { any; };
    recursion yes;
    zone "." {
        type static-stub;
        server-addresses { 127.12.12.12; };
    };
};

Notes:

This requirement is not met by the listed configuration:
In a resolver that is using an internal service for the root zone, if the contents of the root zone cannot be refreshed before the expire time in the SOA, the resolver MUST immediately switch to using non-local root servers.

That is a feature (= intended behavior) of the listed configuration, not a bug in implementation.

Also, resolution will fail during server startup - before root zone is transferred for the first time. I would not be surprised if other edge cases are also non-conformant.

==Verifier note===

Refer to the authors check at: https://mailarchive.ietf.org/arch/msg/dnsop/wDPwMG-_6GElzDqS7IdzK5C_8dM/

Report New Errata



Advanced Search