On Tue, Jun 19, 2018 at 7:15 PM Mukund Sivaraman <[email protected]> wrote:
> > There also seems to be a scalability problem with SIG(0) in that > generating the signature involves a public-key operation per DNS > message. > > For a zone transfer of the root zone from F, the AXFR contains 79 > messages in the TCP continuation: > > ;; XFR size: 22554 records (messages 79, bytes 1335768) > Yup, I realize that. That was one fo the reasons is I mentioned that SIG(0) can also sign IXFR messages if they are available from the server, which could significantly reduce the performance impact. Thinking about it more now though, I recall that the current root zone management scheme isn't that conducive to incremental transfer, since the zone is signed monolithically twice a day (IIRC). Anyway, I'm not really advocating for SIG(0). I'm persuaded that it isn't optimal. I was just surprised that the draft mentions other potential solutions, but didn't mention this one - perhaps it should for completeness. Longer term, perhaps the best solution will end up being XFR using DNS over TLS (or HTTPS) with server authentication. Yes, I realize that authoritative servers are not yet the targets of those protocols, but it's probably only a matter of time. Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
