On 21.6.2018 03:15, Shumon Huque wrote: > On Tue, Jun 19, 2018 at 7:15 PM Mukund Sivaraman <[email protected] > <mailto:[email protected]>> wrote: > > > There also seems to be a scalability problem with SIG(0) in that > generating the signature involves a public-key operation per DNS > message. > > For a zone transfer of the root zone from F, the AXFR contains 79 > messages in the TCP continuation: > > ;; XFR size: 22554 records (messages 79, bytes 1335768) > > > Yup, I realize that. That was one fo the reasons is I mentioned that > SIG(0) can > also sign IXFR messages if they are available from the server, which could > significantly reduce the performance impact. Thinking about it more now > though, > I recall that the current root zone management scheme isn't that > conducive to > incremental transfer, since the zone is signed monolithically twice a > day (IIRC). > > Anyway, I'm not really advocating for SIG(0). I'm persuaded that it isn't > optimal. I was just surprised that the draft mentions other potential > solutions, > but didn't mention this one - perhaps it should for completeness. > > Longer term, perhaps the best solution will end up being XFR using DNS over > TLS (or HTTPS) with server authentication. Yes, I realize that authoritative > servers are not yet the targets of those protocols, but it's probably > only a matter > of time.
HTTPS over TLS is what we did for root zone import into Knot Resolver's cache (from version 2.3 onwards but beware, there are little bugs which were fixed in 2.4 - to be released soon). -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
