If the root zone hand a ZONEMD in it, for the first time I'd have a way to
validate the IP addresses in the *.root-servers.net glue records.
Someone suggested you could validate them by trying a query and seeing if
you get a answer, which is of course wrong. That tells you you've found a
server with the root zone, but it doesn't defend against someone giving
you fake glue and sniffing your queries, something that I hear is an issue
if the DoT/DoH discussions are to be believed.
To answer another question, I can't give you one size fits all advice
about what to do if the ZONEMD validation fails, but if it does, it seems
like something you'd want to know about.
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop