[dns-operations] Assuring the contents of the root zone

Doug Barton dougb at dougbarton.us
Tue Dec 2 05:38:38 UTC 2014


It's hard for me to see how this would easily handle dynamic updates.


On 12/1/14 5:56 PM, George Michaelson wrote:
> Here is a strawman, to try and understand the discussion.
> If we imagine some datastream which is the result of an AXFR or HTTP
> request.
>   <cmd> | tr 'AZ' 'az'| sort -u | <checker>
> this takes the stream, does LWSP replacement, and sorts the lines
> alphabetically and generates eg SHA256
> the tr phase is just for example. presumably a more complex set of rules
> are required to DeMangLE the case conversion and punycode but the sense
> is, that we have a deterministic state of any label in the zone and its
> attributes as an encoding.
> The sort phase generates a single understood (POSIX sort) order of
> bytes. These can then be compared.
> Why is this worse than eg an RR by RR comparison, walking the NSEC
> chains? What I like about it, is that its applicable to being given the
> data OOB. if you have what is a putative zone, then you can apply this
> logic, and determine if the zone matches what is published elsewhere as
> a canonical state of the zone.
> The RR by RR and NSEC walk feels like a DNS experts approach. Not a
> systems/generic approach.
> -G

More information about the dns-operations mailing list