On Thu, 2 Aug 2018, Paul Hoffman wrote:
Note that the checksum in this case must be at least as
cryptographically strong as the signature algorithm used
in the individual RRSIGs/DNSKEYs.
Not true.
If the resolver is validating, the ZONEMD only adds assurance that the
non-signed records are there. Thus, the hash algorithm for the zone is
unrelated to the hash algorithms in the signatures.
Then don't cover signed RRsets with ZONEMD. Then this problem goes away,
and you force implementations to validate all records before putting
them in the cache.
If the resolver is not validating, the ZONEMD assures that all the records
are there. The strength of that assurance is the same as the second pre-image
strength of the hash. However, the resolver cannot say "oh, look, now I can
start resolving with what I got in the zone transfer": it still needs to
validate every RRSIG all the way to the root.
That's not what people are going to do. They are going to grab the
AXFR'ed data, check the checksum and throw it in the "validated" cache
and they won't revalidate every root zone entry they are about to serve.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
