[dns-operations] New root AXFR service? (Was: Re: the thread of the week)

Mark Andrews Mark_Andrews at isc.org
Fri Aug 3 02:20:43 UTC 2007 

> Paul Vixie wrote:
> > some kind of AXFR-only service seems indicated.  we could put one
> > up on 192.5.5.242 in a few days if IANA asked for it.  (that's F+1
> > as IP addresses go.)
> 
> It should come as no surprise that I think this is a great idea.
> 
> To take it a step further you could publish a TSIG key on the web
> site, signed by the current BIND pgp signing key. This would obviously
> not provide the same layer of authentication that DNSSEC would, but it
> would protect against data that might be mangled in flight. (One could
> also argue that this would be a bad thing because it would make a mitm
> attack more legitimate looking to the naive eye, but my feeling is
> that it's better to have it than not.) What requiring TSIG for the
> transfer _would_ do is raise the required wizardry level quite a bit.

	TSIG is not useful if the contents are not secret.

	TKEY would work but it extends the transaction time and consumes
	memory.

	RRSIG AXFR is the solution that scales.
 
> Throw in IXFR and you'll greatly reduce the required bandwidth for all
> concerned (and avoid the meta-discussion about whether it's a good
> thing to rev the serial on the root zone twice a day in the absence of
> a real content change).
> 
> To raise the required wizardry level a little higher still, what I'm
> currently thinking about is that rather than provide the commented out
> example of how to do it (using whatever mechanism), I could provide
> comments on where to go to find the instructions to do it. That way we
> could ensure that anyone who moves forward with this at least has
> enough clueballs in their pocket to follow instructions. It would also
> allow me to provide more depth in terms of the pros and cons for doing
> it than I can in the comments of the conf file.
> 
> Do you actually need David to make a formal request? Or is this
> something you would consider doing if enough community members said
> that it sounds like a good idea? (And no, the irony of that question
> coming from me is not lost.)
> 
> Doug
> 
> -- 
>     If you're never wrong, you're not trying hard enough
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list