On 22/12/2020 10:27, Willem Toorop wrote:
Recently, also the ldns library has been extended with zone-digest functionality. ZONEMD RRs can now be calculated and added with ldns-signzone , and verified with ldns-verify-zone . This is available on the develop branch onhttps://github.com/NLnetLabs/ldns this will also be released early next year.
With ZONEMD verification in ldns-verify-zone, and CreDNS zone verification mechanism in NSD, there is also support for ZONEMD verification in NSD (not signing!). With a zone transfer (inbound), NSD/CreDNS verifies the zone integrity using ldns-verify-zone. Only if the zone is correct will the zone be transferred (outbound) to (public) secondary name servers.
See also the IETF 109 DNSOP WG presentation of Willem: https://datatracker.ietf.org/meeting/109/materials/slides-109-dnsop-sessb-dns-hackathon-results-00.
Best, -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
