If the root zone hand a ZONEMD in it, for the first time I'd have a way to validate the IP addresses in the *.root-servers.net glue records.

Someone suggested you could validate them by trying a query and seeing if you get a answer, which is of course wrong. That tells you you've found a server with the root zone, but it doesn't defend against someone giving you fake glue and sniffing your queries, something that I hear is an issue if the DoT/DoH discussions are to be believed.

To answer another question, I can't give you one size fits all advice about what to do if the ZONEMD validation fails, but if it does, it seems like something you'd want to know about.

R's,
John

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to