[dns-operations] cool idea regarding root zone inviolability

Paul Vixie paul at redbarn.org
Thu Nov 27 21:55:28 UTC 2014

> Warren Kumari <mailto:warren at kumari.net>
> Thursday, November 27, 2014 1:11 PM
> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few
> others (who I embarrassing enough have forgotten) are planning on
> writing a "zone signature" draft (I have an initial version in an edit
> buffet). The 50,000 meter view is:
> Sort all the records in canonical order (including glue)
> Cryptographicly sign this
> Stuff the signature in a record
> This allows you to verify that you have the full and complete zone
> (.de...) and that it didn't get corrupted in transfer.
> This solves a different, but related issue.

would this draft change the setting of the AA bit on an secondary
server's responses, or make it unwilling to answer under some
conditions? right now there is no dependency, AA is always set. but if
we're going to make it conditional, then it should be conditioned on the
signatures matching all the way up-chain to a trust anchor, which would
require an authority server to also contain a validator and be able to
make iterative queries. so, i wonder about the use case for your draft.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/c357f09d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1223 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/c357f09d/attachment.jpg>

More information about the dns-operations mailing list