> On Jul 25, 2018, at 9:24 PM, Paul Wouters <[email protected]> wrote: > > >> On Jul 25, 2018, at 20:47, Ondřej Surý <[email protected]> wrote: >> >> >> For ZONEMD, this isn’t true, as you can (in theory) feed the zone with >> infinite amount of non-DNSSEC-signed >> data (GLUEs, delegations) thus making the collision attack feasible. > > That’s why I suggested already to add the count of the number or unsigned > records to the ZONEMD record.
This sounds like a reasonable idea to me. I'd like to give some thought to whether it should be a count of unsigned records, or all records. I'll discuss it with the coauthors. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
