On 30.7.2018 15:32, Tony Finch wrote: > Paul Wouters <p...@nohats.ca> wrote: >> >> We are looking at a way to distribute the root zone, presumably to >> make the root servers less mission critical and for enhanced >> privacy and reduced NXDOMAIN queries. > > RFC 8198 with qname minimization give you the latter two. > >> We are depening on DNSSEC for integrity of the data, which just misses >> glue/NS verification. > > I keep thinking it might make sense to sign non-authoritative delegation > records, though it's really hard to see how we could get there from here. > For instance, there isn't a flags field in RRSIG so you can't explicitly > mark an RRset as being non-authoritative.
It is! RRSIG has signer name field which points to node with particular DNSKEY. If signer name is shorter than zone apex name the signature was created by someone up the tree. I think this is an interesting idea worth exploring. Petr Špaček @ CZ.NIC > >> It seems the way to fix this would be to have well known recursive servers >> (8.8.8.8, 1.1.1.1, 4.4.4.4, level3, opendns, etc) also offer the root >> zone for AXFR. > > This just makes the surveillance capitalists part of your mission critical > problem area, which isn't obviously an improvement. > > Tony. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop