On 11/29/14 2:57 PM, Paul Vixie wrote:
this matters, because if the secondary server is going to have to iterate through the whole zone after loading it, it might as well just verify the DNSSEC signatures and NSEC chain.
That's an incomplete solution due to the things that DNSSEC doesn't cover (I'm thinking particularly of delegation NS records here).
that wouldn't test for "validity" of the zone, but it would be a consistency check of the same depth as any zone-level signature could offer. and what's better is, incremental changes via IXFR or UPDATE could then be tested incrementally.
Doing a "validity" signature on a per-RRset basis has a lot going for it, not the least of which is making the incremental updates easier.
We still need a way to verify the entire contents of the zone however. This goes beyond just transfers, it would be nice to be able to verify that a zone downloaded using a method other than transfers is both accurate and complete.
I'm sensitive to your expectation that non-transfer methods should provide their own security, and your argument that every new line of code adds more fragility. However I do see the appeal of a standardized way of demonstrating that a given zone is what it should be.
FWIW, Doug _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
