> On Oct 25, 2018, at 1:44 PM, Paul Wouters <[email protected]> wrote: > > > >> Subject: Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt > > Duane, > > It seems this document is really aiming at the root zone, even though > there is some text about making it sort of general.
Hi Paul, Certainly the root zone use case is of particular interest to me, but I also believe it is a mistake to focus narrowly on that. I've heard others say they think its useful in general, and I think as time goes on it will find more use cases. > > What if we signed root-servers.net and allowed people to AXFR that > zone along with the root zone. Would there be any need to do any > checksumming? It seems a much simpler solution to protecting the unsigned > glue records then a new checksum method. First, I don't really see how it makes things simpler. You'd have to look in two places (zones) rather than one. Second, A signed root-servers.net zone doesn't cover all the root zone glue. From the presentation I recently gave at DNS-OARC (https://indico.dns-oarc.net/event/29/contributions/656/), a root zone from August 2018 has 10,773 total RRsets, 1400 of which are signed, and 9373 are unsigned. Whether or not root-servers.net should be signed is, IMO, a separate discussion. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
