[dns-operations] cool idea regarding root zone inviolability

Mark Andrews marka at isc.org
Thu Nov 27 21:43:12 UTC 2014

In message <CAHw9_iLdGnkmErvoVHhj41fswM6+5yj0tdxrSj17KdhzqTyGrw at mail.gmail.com>
, Warren Kumari writes:
> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others
> (who I embarrassing enough have forgotten) are planning on writing a "zone
> signature" draft (I have an initial version in an edit buffet). The 50,000
> meter view is:
> Sort all the records in canonical order (including glue)
> Cryptographicly sign this
> Stuff the signature in a record
> This allows you to verify that you have the full and complete zone (.de...)
> and that it didn't get corrupted in transfer.
> This solves a different, but related issue.
> Hope to finally get off my butt and post -00 soon.
> W

Which is similar to RFC 2065, 4.1.3 Zone Transfer (AXFR) SIG except
dynamic updates would update the record and it would be in the zone.


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list