[dns-operations] cool idea regarding root zone inviolability

Paul Vixie paul at redbarn.org
Mon Dec 1 23:13:38 UTC 2014


> Paul Vixie <mailto:paul at redbarn.org>
> Sunday, November 30, 2014 2:29 PM
>
> why? (your use case is not obvious from what you've written.) ...
> Chuck Anderson <mailto:cra at wpi.edu>
> Monday, December 01, 2014 7:09 AM
>
> Silent on-disk corruption. It happens, and it would be nice to be
> able to detect that.
>
if you're concerned about operating system or hardware or network
errors, then i assume you're also concerned about them hitting your name
server executable, in which case you'll be running a file system like
ZFS that catches these things.

if you're concerned about malevolent on-disk editing, then i assume
you're running something like tripwire to snapshot with secure hashes
every file in your operating system, and that it will have hooks to
manage and monitor the zone files as well.

either way i'm not seeing a unique "has to be done with an in-zone
signature" situation here.

-- 
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141201/2ffeca3a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1222 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141201/2ffeca3a/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141201/2ffeca3a/attachment-0001.jpg>


More information about the dns-operations mailing list