Ralf Weber <[email protected]> wrote: >> I'll defer to the DoH experts there. But we do need to be careful when >> we say HTTPS to indicate whether we mean transferring a zone file >> itself, vs performing an in-band DNS transfer.
> I (as well was Michael) was thinking of serving the zone file via https as
> this is probably the easiest thing to get it served by web folks. I think
> we should include this in the draft.
Whether there is a layer of HTTPS (and JSON/JOSE) between the TLS and the DNS
doesn't change the challenge of making the TLS work.
It could be equally be XoH, AXFR-over-DoT.
The DNS objects (whether wire or presentation format) are all still DNSSEC
signed. I think that the (outer) layer of TLS is about integrity check to make
it harder for an attacker to suppress some pieces, breaking the transfer.
I imagine that the DNS operators know how to make DNS scale well.
So for them, XoH or XoT would "trivial".
Meanwhile, if one wants the contents made available outside of DNS operators,
then an HTTPS static file is smart.
How are all these localroot servers synchronizing their copies?
Are we concerned if there is skew among servers? How much?
Obviously, at some point the DNSSIG RR expire.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
