In message <[email protected]>, Tony 
Finch writes:
> Paul Hoffman <[email protected]> wrote:
> >
> > > I thought the idea of validating the zone transfer before putting the zone
> > > live was interesting. I could probably lash up a script to do that along
> > > the lines of the following, though it also needs to check the KSK matches
> > > the trust anchor.
> > >
> > > for server in $root_servers
> > > do if dig axfr . @$server >root.db &&
> > >      dnssec-verify -o . root.db
> > >   then nsdiff -s localhost . root.db | nsupdate -l
> > >        exit $?
> > >   fi
> > > done
> >
> > Sure, but this is an unnecessary change to what recursives do today,
> > which is to validate each response. It feels better to keep as much as
> > we can from the current methodology.
> 
> On the other hand, something vaguely like that kind of validation is often
> part of a high-assurance authoritative DNS setup. And I was suggesting a
> shonky way to add that validation to the authoritative side of the local
> root server, leaving the recursive side relatively normal.
> 
> The problem with slaving the root zone locally is that you damage the
> DNS's and DNSSEC's resilience features. Since you can't TSIG-authenticate
> the zone transfers I think you really need some other kind of sanity
> check, if you are going to recommend local root zones as a standard
> configuration. (as opposed to an experiment on a hostmaster's
> workstation.)

We could re-introduce zone signatures and require them for the
root zone but leave them optional for other zones..
 
> Tony.
> -- 
> f.anthony.n.finch  <[email protected]>  http://dotat.at/
> South Biscay, Fitzroy: Westerly or southwesterly 6 to gale 8. Moderate at
> first in southeast Biscay, otherwise rough or very rough, occasionally high in
> Fitzroy. Thundery showers. Good, occasionally poor.
> 
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to