On Fri, Jul 27, 2018 at 11:24:33AM +0800, Davey Song wrote: > The draft says zone digest is not for protecting zone transmition.
Where did it say that? I didn't notice it. > IMHO, the treat model is MITM attack by malicious editing on on-disk > data (NS and glue especially) and server the new zone to end user. DNS > digest intends to enable end users (resolvers) automatically detect the > modifation ( and drop the zone?). I don't think that's entirely correct. Normal resolvers don't need to transfer in a full zone; they just send queries for individual records and validate RRSIGs. There's no zone for for it to check against ZONEMD, or for it to drop if the check fails. However, a resolver configured with a local copy of the root zone as in RFC 7706 *does* contain the full zone, and has to get it somehow. Perhaps it gets it via AXFR, perhaps via some out-of-band mechanism. Either way, once the local copy is obtained, ZONEMD allows it to be verified. So, yes, ZONEMD does protect zone transmission. It does so regardless of channel - TLS, AXFR/IXFR, sneakernet, whatever. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
