On Mon, 29 Oct 2018, Wessels, Duane wrote:
What if we signed root-servers.net and allowed people to AXFR that
zone along with the root zone. Would there be any need to do any
checksumming? It seems a much simpler solution to protecting the unsigned
glue records then a new checksum method.
First, I don't really see how it makes things simpler. You'd have to look
in two places (zones) rather than one.
It would then all be using just DNSSEC, and not other kinds of
authentication or verification schemes that _also_ need DNSSEC.
Second, A signed root-servers.net zone doesn't cover all the root zone glue.
Indeed, I was wrong there. And to turn all that glue into signed records
will be a larger task, even if assuming all newgTLDs would have signed
records for the glue in the root.
Whether or not root-servers.net should be signed is, IMO, a separate discussion.
Yeah, I only meant in the context of this discussion.
So you convinced me that it is okay to move forward with this.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
