Maintained by: NLnet Labs

[Unbound-users] 8.8.8.8

Paul Wouters
Mon Jun 28 18:08:24 CEST 2010


On Mon, 28 Jun 2010, Papp Tamás wrote:

>> stub-zone:
>>     name:"ca."
>>     stub-prime:"no"
>>     stub-addr:192.228.22.190
>>     stub-addr:192.228.22.189
>> 
>> Now instead of using the NS records in the root zone that point to ca. 
>> unbound
>> will use these two addresses instead.
>
> Yes, I understand this. I don't unserstand the difference between 
> stub-prime:"no" and stub-prime:"yes".

It's to override the DNSSEC signed NS servers for the domain. With a shadow
tree, when signing a production zone and serving it on non-production name
servers, the NS records for the zone are wrong, and your dnssec signed NS
set would point to production instead of the shadow servers. This is the
override.

Paul