On Wed, Jun 20, 2018 at 09:48:40AM +1000, Mark Andrews wrote:
> Donald Eastlake’s early DNSSEC work had a working zone signature. It doesn’t
> require signing each message. It’s just relatively expensive to compute for
> large zones as it requires hashing the entire zone.
>
> RFC 2065 4.1.3 Zone Transfer (AXFR) SIG.
>
> Note this is SIG(AXFR) not SIG(0).
doc/misc/dnssec in the BIND tree has this text by Andreas Gustafsson
from 2001:
Secure Zone Transfers
BIND 9 does not implement the zone transfer security mechanisms of
RFC2535 section 5.6, and we have no plans to implement them in the
future as we consider them inferior to the use of TSIG or SIG(0) to
ensure the integrity of zone transfers.
I wonder what the reasons for "inferior" were.
Mukund
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
