Hello, I'm sorry if it has already been discussed, but has there been any work done on using TLS for AXFR/IXFR?
It seems like it should be relatively straightforward, compared to the stub-to-resolver and resolver-to-authority links. While it does not seem as big of a problem either, obviously somebody cares about hiding the contents of zones or everybody wouldn't block zone transfers, right? There are still some issues to consider, such as what the interaction of TSIG and TLS certificates means, as well as what method a master can use to signal TLS support (this seems desirable to me, although not necessary). Does this seem like something worth working on? Or is it a distraction from the resolver-to-authority work? Note also that it might be worthwhile building a new zone transfer protocol that can perform better in areas where AXFR and IXFR don't work well today (unnecessary data in IXFR of signed zones, inefficiency for synchronizing lots of zones, automatic fallback to full zone transfer on IXFR failure, and so on). That's not really something for DPRIVE, of course, but adding TLS to the protocol could be rolled into such an activity. Cheers, -- Shane
pgp7Q_VG8fUGK.pgp
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy