> On 22 Jun 2018, at 1:55 am, Wessels, Duane > <[email protected]> wrote: > > >> On Jun 20, 2018, at 11:19 PM, Petr Špaček <[email protected]> wrote: >> >>> >>> Longer term, perhaps the best solution will end up being XFR using DNS over >>> TLS (or HTTPS) with server authentication. Yes, I realize that authoritative >>> servers are not yet the targets of those protocols, but it's probably >>> only a matter >>> of time. >> >> HTTPS over TLS is what we did for root zone import into Knot Resolver's >> cache (from version 2.3 onwards but beware, there are little bugs which >> were fixed in 2.4 - to be released soon). > > The problem I'm seeking to solve is somewhat different, and its probably > not clearly stated in the draft so I will add some text to rectify that. > > I'm not trying to solve the problem that SIG(0), SIG(AXFR), or TLS addresses > -- that you're talking to the right server and that data wasn't modified > in transit. > > My goal is to ensure that when you receive a zone file -- however you > receive it (DNS, HTTPS, P2P file sharing, Avian Carrier) -- you get the > data that the zone publisher actually published.
SIG(AXFR) does that. It is part of the zone’s contents. > DW > > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
