[dns-operations] cool idea regarding root zone inviolability

Warren Kumari warren at kumari.net
Thu Nov 27 21:48:35 UTC 2014


On Thursday, November 27, 2014, Mark Andrews <marka at isc.org> wrote:

>
> In message <
> CAHw9_iLdGnkmErvoVHhj41fswM6+5yj0tdxrSj17KdhzqTyGrw at mail.gmail.com
> <javascript:;>>
> , Warren Kumari writes:
> >
> > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others
> > (who I embarrassing enough have forgotten) are planning on writing a
> "zone
> > signature" draft (I have an initial version in an edit buffet). The
> 50,000
> > meter view is:
> > Sort all the records in canonical order (including glue)
> > Cryptographicly sign this
> > Stuff the signature in a record
> >
> > This allows you to verify that you have the full and complete zone
> (.de...)
> > and that it didn't get corrupted in transfer.
> > This solves a different, but related issue.
> >
> > Hope to finally get off my butt and post -00 soon.
> >
> > W
>
> Which is similar to RFC 2065, 4.1.3 Zone Transfer (AXFR) SIG except
> dynamic updates would update the record and it would be in the zone.
>
>
Jah.

W


> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> <javascript:;>
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/540af13b/attachment.html>


More information about the dns-operations mailing list