On Wed, 25 Jul 2018, Warren Kumari wrote:
One of the original promises of DNSSEC is that I'd be able to find a zonefile written on a napkin on a bar floor, and trust it -- currently I cannot do this.
That's a harder problem :P
As an example, let's say we'd like to distribute the rootzone over BitTorrent to people who want to do LocalRoot - how do they know they can trust the zone file before loading it? Or, in a less crazy example, distribute it over some set of CDNs - being able to know that you have the full, and correct zone without having to walk the NSECs and hope that the glue is correct would (IMO) be nice.
Once you validate the ZONEMD, it is not that much more dificult than running over all the records, eg with validns or ldns-read-zone. Although you could skip it and let DNSSEC failures deal with any potential records who were modified by an attacker that doesn't have the private key of that zone. That leaves glue and NS, but there is a reason those aren't signed, and any attacker shouldn't get anything out of that by modifying it. (other then a DDOS, but they can always do that if they control your zonefile download) If you do want all of that protected, which I don't think there are strong reasons for, why not place an OPENPGPKEY record in the zone and use pgp to sign it? No new custom software needed, and equally annoying validing the OPENPGPKEY as the ZONEMD data. Inventing a file checksum for DNSonly data seems a suboptimal custom solution to me (too much hammertime) Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
