> Tony Finch <mailto:[email protected]> > Tuesday, November 11, 2014 1:07 PM > > ... > > I thought the idea of validating the zone transfer before putting the zone > live was interesting.
this is something deliberately left out of the dnssec design, because it doesn't obviate validation by query initiators of the underlying data. in this case the query initiator will be the rdns coupled to this stealth slave, which MUST do rfc 5011 key rolls and full dnssec validation, no matter whether the root zone is checked after each transfer. given that adding logic to a crypto system usually makes it less safe not more safe, we'd need a compelling reason to recommend validation. especially since it would have to be redone after each IXFR, and especially since the full zone might be arbitrarily large (that is, the root zone isn't the only one that can benefit from this kind of hot-cache inside the RDNS itself.) i am therefore strongly -1 to any kind of validation of transferred contents. transfers, like the lack of signatures on delegation NS RRsets, are deliberately outside the design envelope for secure dns. let's not add stuff like this just because it's possible or interesting. -- Paul Vixie
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
