I hear there are proposals to sign the entire contents of zones. zonemd/xhash
in some subject lines.
(Forgive me if SIG(AXFR) was mentioned before...)
"Domain Name System Security Extensions", a'la RFC 2065, section 4.1.3 Zone
Transfer (AXFR) SIG:
"However, to efficiently
assure the completeness and security of zone transfers, a SIG RR
owned by the zone name must be created with a type covered of AXFR
that covers all zone signed RRs in the zone and their zone SIGs but
not the SIG AXFR itself."
"Domain Name System Security Extensions", a'la RFC 2535, Appendix B: Changes
from RFC 2065:
"3. ...In addition, the SIG covering type AXFR has been
eliminated..."
I wish I could recall why. (Anyone else recall why this was dropped? I recall
realizing it was a fool's errand but not the reasons.) Yes, today's network is
different.
I would think, if there is concern that the glue records were a mucked-with and
a validator were misdirected by malicious glue, the DS record would provide
evidence of a redirection. For unsigned delegations, this would be an
incentive to sign, for non-validating resolvers, an incentive to validate.
Now, pushing for universal deployment of DNSSEC might be improper at this
juncture.
The option is to develop, implement, and operate a way to "sign the contents of
a zone." (Especially considering the pushback on full DNSSEC deployment.)
History isn't always the guide to follow, but we tried this once and gave up.
(Note: no comment on the merits of zonemd/xhash, just throwing in some history.)
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
