[dns-operations] Assuring the contents of the root zone

[Paul Hoffman]

People have asked for two things:

1) Getting the root zone by means other than AXFR, such as by HTTP

2) Being sure that they got the exact root zone, including all of the glue records

A signed hash meets (2) regardless of how the zone was transmitted.

Having an in-band way of getting the key that doing the signature vastly reduces the hassle of validating the signature. Even if you don't agree with (1) and would only care about verifying the contents of the zone with AXFR, you still need to know which key signed the hash and trust its provenance. The zone signing key is already such a key. A second type of key that could be used is a key that is listed in the zone, with an RRSIG over the second key. A third type of key would be one that was trusted though out-of-DNS reasons, such as by a mutually-trusted web CA.

You can either publish the signed hash in the zone itself, or sign the hash and have it external to the zone (such as in a detached signature, or in a wrapped message).

Adding a record that says "here is a hash of this zone", and adding an RRSIG for that record, is the simplest solution. There are other solutions that are exactly as secure; however, they are all more complex, and some involve using the zone signing key for signing something other than the contents of an RRSIG.

--Paul Hoffman