On Sat, 28 Jul 2018, Florian Weimer wrote:
A malicious server might never stop sending data, or claim that the transfer is ridiculously large. If the zone digest does not include information about the amount of data, this can only be detected after the server ended transmission, at which time the ZONEMD digest can be compared. But at this point, the client may already have filled its storage with garbage data, unless the double transfer trick is used.
I realize that hypothetically a malicious server could send you a large file of garbage. But that can happen any time you downlaod a file from anywhere. It doesn't strike me as something that needs special hackery for this rather specific case.
On the other hand, I don't see any particular reason that the ZONEMD couldn't have a field for the number of records, and it goes at the apex of the zone so you'd expect to find it near the front of the file.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
