> Evan Hunt <mailto:[email protected]> > Saturday, November 29, 2014 2:00 PM > > An out-of-band signature can only cover an out-of-band transfer. An > in-band signature could cover both kinds. well, sure, but at the expense of the secondary server having to read every byte of the transferred zone contents, which is currently unnec'y for servers using an mmap'd file that they only access sparsely and at need. (whereas the prospective out-of-band transfer method already has to touch every byte of the zone contents, and could therefore verify a signature "for free".)
this matters, because if the secondary server is going to have to iterate through the whole zone after loading it, it might as well just verify the DNSSEC signatures and NSEC chain. that wouldn't test for "validity" of the zone, but it would be a consistency check of the same depth as any zone-level signature could offer. and what's better is, incremental changes via IXFR or UPDATE could then be tested incrementally. here, i'm specifically thinking of zones so large that touching every byte of their content is a multiple-minutes cost. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
