Paul Vixie <[email protected]> wrote: > > I thought the idea of validating the zone transfer before putting the zone > > live was interesting. > > this is something deliberately left out of the dnssec design, because it > doesn't obviate validation by query initiators of the underlying data.
Right, but DNSSEC usually assumes that the zone transfers themselves are authenticated, so they can't be corrupted in transit. This is not the case for local root zones. With normal DNSSEC validation, resolvers have a way to recover from data corruption. With this local root zone proposal they do not. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Southwest Viking: Southeasterly 7 to severe gale 9. Very rough. Occasional rain. Moderate or good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
