On 11:09 05/12, A. Schulze via nsd-users wrote: > Hi Anand! > > Am 04.12.21 um 12:12 schrieb Anand Buddhdev via nsd-users: > > ZONEMD is expected to appear in the root zone next year. > > ok, good to know. > > > As Wouter explained, NSD is an authoritative-only server, and usually has > > no need to verify zones. Usually, NSD will be configured as a secondary, > > and XFR zones from primaries using TSIG. > so it looks like zone transfer over TCP+TLS and TSIG and DNSSEC are enough > integrity checks to /assume/ > data served by a secondary aren't corrupted. > > well, don't sound like a strange assumption but I thought, ZONEMD was also > developed as a next layer ontop. >
We at .CL use ZONEMD as an integrity check after transfer in all nodes. It's an ad-hoc process for now, outside the server, so we're not concerned that nsd doesn't have plans to implement it. Hugo _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
