On Thu, Aug 09, 2018 at 02:19:08PM +0000, Edward Lewis wrote:
> FWIW, this message was spurred by this comic strip [yes, today as I write]:
> http://dilbert.com/strip/2018-08-09.
Cute.
> "Will the time taken to generate and verify this record add to the security
> of a zone transfer?"
Perhaps a sensible way to secure zone transfer is at the transport
layer. Presumably DNS over TLS is comaptible with AXFR. If desired
authentication can be via DANE. Just publish a TLSA RRset:
example.net. IN SOA nsa.example.net. hostmaster.example.net. ...
example.net. IN NS nsa.example.net.
nsa.example.net. IN A 192.0.2.1
_853._tcp.nsa.example.net. IN TLSA 3 1 1
fbefbd9e5b54696792bab92cf329669edaca16d0b09dcfdd16fe3e1bd8ab08e9
and do the AXFR transfer over TLS. This does not require pre-computation
of a zone checksum. Just obtain the zone transfer from a suitably
trusted source.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
