RFC Errata
Found 2 records.
Status: Verified (2)
RFC 8806, "Running a Root Server Local to a Resolver", June 2020
Source of RFC: dnsop (ops)
Errata ID: 8634
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Petr Špaček
Date Reported: 2025-11-14
Verifier Name: Mohamed BOUCADAIR
Date Verified: 2025-11-17
Section B.1 says:
view root {
match-destinations { 127.12.12.12; };
zone "." {
type slave;
file "rootzone.db";
notify no;
masters {
199.9.14.201; # b.root-servers.net
192.33.4.12; # c.root-servers.net
199.7.91.13; # d.root-servers.net
192.5.5.241; # f.root-servers.net
192.112.36.4; # g.root-servers.net
193.0.14.129; # k.root-servers.net
192.0.47.132; # xfr.cjr.dns.icann.org
192.0.32.132; # xfr.lax.dns.icann.org
2001:500:200::b; # b.root-servers.net
2001:500:2::c; # c.root-servers.net
2001:500:2d::d; # d.root-servers.net
2001:500:2f::f; # f.root-servers.net
2001:500:12::d0d; # g.root-servers.net
2001:7fd::1; # k.root-servers.net
2620:0:2830:202::132; # xfr.cjr.dns.icann.org
2620:0:2d0:202::132; # xfr.lax.dns.icann.org
};
};
};
view recursive {
dnssec-validation auto;
allow-recursion { any; };
recursion yes;
zone "." {
type static-stub;
server-addresses { 127.12.12.12; };
};
};
It should say:
// Warning:
// Error handling and transitional states of a server with this
// configuration do not conform to the requirements given in
// this document.
view root {
match-destinations { 127.12.12.12; };
zone "." {
type slave;
file "rootzone.db";
notify no;
masters {
199.9.14.201; # b.root-servers.net
192.33.4.12; # c.root-servers.net
199.7.91.13; # d.root-servers.net
192.5.5.241; # f.root-servers.net
192.112.36.4; # g.root-servers.net
193.0.14.129; # k.root-servers.net
192.0.47.132; # xfr.cjr.dns.icann.org
192.0.32.132; # xfr.lax.dns.icann.org
2001:500:200::b; # b.root-servers.net
2001:500:2::c; # c.root-servers.net
2001:500:2d::d; # d.root-servers.net
2001:500:2f::f; # f.root-servers.net
2001:500:12::d0d; # g.root-servers.net
2001:7fd::1; # k.root-servers.net
2620:0:2830:202::132; # xfr.cjr.dns.icann.org
2620:0:2d0:202::132; # xfr.lax.dns.icann.org
};
};
};
view recursive {
dnssec-validation auto;
allow-recursion { any; };
recursion yes;
zone "." {
type static-stub;
server-addresses { 127.12.12.12; };
};
};
Notes:
This requirement is not met by the listed configuration:
In a resolver that is using an internal service for the root zone, if the contents of the root zone cannot be refreshed before the expire time in the SOA, the resolver MUST immediately switch to using non-local root servers.
That is a feature (= intended behavior) of the listed configuration, not a bug in implementation.
Also, resolution will fail during server startup - before root zone is transferred for the first time. I would not be surprised if other edge cases are also non-conformant.
==Verifier note===
Refer to the authors check at: https://mailarchive.ietf.org/arch/msg/dnsop/wDPwMG-_6GElzDqS7IdzK5C_8dM/
Errata ID: 7692
Status: Verified
Type: Editorial
Publication Format(s) : TEXT, PDF, HTML
Reported By: Deliang Chang
Date Reported: 2023-10-31
Verifier Name: RFC Editor
Date Verified: 2023-10-31
Section 3 says:
There is a risk that a system using a local authoritative server for the root zone cannot refresh the contents of the root zone before the expire time in the SOA. A system using a local authoritative server for the root zone MUST NOT serve stale data for the root zone. To mitigate the risk that stale data is served, the local root server MUST immediately switch to using non-local root servers when it detects that it would be serving state data.
It should say:
There is a risk that a system using a local authoritative server for the root zone cannot refresh the contents of the root zone before the expire time in the SOA. A system using a local authoritative server for the root zone MUST NOT serve stale data for the root zone. To mitigate the risk that stale data is served, the local root server MUST immediately switch to using non-local root servers when it detects that it would be serving stale data.
Notes:
Based on the context, it seems that in the last sentence the intended word is "stale" as in stale data, instead of "state". So, I believe there might be a typo in the text, and the correct interpretation would be to swith back to the non-local root when stale data is detected.