On Wed, 8 Jan 2020, Michael StJohns wrote:
I'm running a private copy of the root zone for my organization. I (automated) check the SOA every so often, and arrange for a download of the zone when it changes. I (automated) get a copy of the zone data, including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid (hashes don't match). I do:[ various things ]
I know this isn't the answer you want, but it still depends. One size fits all error recovery is rarely possible. I also realize you're trying to tease out a single answer to the question of whether a ZONEMD failure is more likely to be a bogus zone or a broken signer, and it still depends.
In the rather peculiar case of the root zone, ZONEMD for the first time covers the otherwise completely unauthenticated A/AAAA records for the root servers since root-servers.net remains unsigned, so it can detect tampering that we couldn't detect before. Since we happen to know that significant changes to the root are fairly rare, I'd keep using the old version of the root and flag the failure for someone to look at.
In other applications, the risks and consequences are different, so I'd probably do something different.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY "I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
