On 30 Jul 2018, at 14:44, Wessels, Duane wrote:
While I wouldn't necessarily be opposed to having an RR count field of some kind if there is good reason to have it, my preference would be to omit it and keep the record simpler.
I am still mystified about the scenario in which a malicious zone operator creates two zone files with the same ZONEMD hash, one with the right set of addresses for unsigned child zones, and a different one with one of more of those child zones with wrong addresses plus enough other kruft to make the colliding hashes match. In what world is that attack more likely than just not using ZONEMD?
And, even if it is possible to imagine that, requiring a hash function that has no collision attacks (like SHA-256) would suffice.
Adding a RR count field would only make the malicious zone owner's attack harder, and would complicate the field. But I still can't picture malicious zone operators who would voluntarily use ZONEMD.
--Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
