I hear there are proposals to sign the entire contents of zones. zonemd/xhash in some subject lines.
(Forgive me if SIG(AXFR) was mentioned before...) "Domain Name System Security Extensions", a'la RFC 2065, section 4.1.3 Zone Transfer (AXFR) SIG: "However, to efficiently assure the completeness and security of zone transfers, a SIG RR owned by the zone name must be created with a type covered of AXFR that covers all zone signed RRs in the zone and their zone SIGs but not the SIG AXFR itself." "Domain Name System Security Extensions", a'la RFC 2535, Appendix B: Changes from RFC 2065: "3. ...In addition, the SIG covering type AXFR has been eliminated..." I wish I could recall why. (Anyone else recall why this was dropped? I recall realizing it was a fool's errand but not the reasons.) Yes, today's network is different. I would think, if there is concern that the glue records were a mucked-with and a validator were misdirected by malicious glue, the DS record would provide evidence of a redirection. For unsigned delegations, this would be an incentive to sign, for non-validating resolvers, an incentive to validate. Now, pushing for universal deployment of DNSSEC might be improper at this juncture. The option is to develop, implement, and operate a way to "sign the contents of a zone." (Especially considering the pushback on full DNSSEC deployment.) History isn't always the guide to follow, but we tried this once and gave up. (Note: no comment on the merits of zonemd/xhash, just throwing in some history.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop