[dns-operations] Assuring the contents of the root zone

Paul Vixie paul at redbarn.org
Tue Dec 2 06:13:02 UTC 2014

George Michaelson wrote:
> Its not designed to handle dynamic updates. Its designed to handle
> being given, or accessing an entire zone state, and having a
> canonicalization method which can be applied by anyone, using POSIX
> tools to determine if its correct and complete

george, dns is dynamic now. a signature method must address the update
case. here's what i wrote in response to paul-h:

> i'm imagining a stream cipher that begins as the H(K,zone) and then is
> updated to be H(K,H_old,delta) for each change to the zone, which
> would have to be calculated by the responder in the case of UPDATE,
> but could then be issued as a succession of new "zone signature" RR's
> during IXFR. the "zone signature" RR would have to be like SOA,
> there-can-be-only-one, so what might look like a "set" of them in an
> IXFR, is really a bunch of changes to the one-and-only. ...

Paul Vixie

More information about the dns-operations mailing list