[dns-operations] cool idea regarding root zone inviolability

Warren Kumari warren at kumari.net
Thu Nov 27 22:20:07 UTC 2014

On Thursday, November 27, 2014, Paul Vixie <paul at redbarn.org> wrote:

>   Warren Kumari <javascript:_e(%7B%7D,'cvml','warren at kumari.net');>
>  Thursday, November 27, 2014 1:11 PM
> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others
> (who I embarrassing enough have forgotten) are planning on writing a "zone
> signature" draft (I have an initial version in an edit buffet). The 50,000
> meter view is:
> Sort all the records in canonical order (including glue)
> Cryptographicly sign this
> Stuff the signature in a record
> This allows you to verify that you have the full and complete zone
> (.de...) and that it didn't get corrupted in transfer.
> This solves a different, but related issue.
> would this draft change the setting of the AA bit on an secondary server's
> responses, or make it unwilling to answer under some conditions? right now
> there is no dependency, AA is always set. but if we're going to make it
> conditional, then it should be conditioned on the signatures matching all
> the way up-chain to a trust anchor, which would require an authority server
> to also contain a validator and be able to make iterative queries. so, i
> wonder about the use case for your draft.
> --
> Paul Vixie

This allows a slave (or anyone else who wants to validate a zone, e.g a
master loading from disk) to know that they have a full and correct zone.
This covers things like accidental zone truncation (which has bitten some
folk), zone file corruption, etc. if someone hands me a zone somehow (e.g
AXFR) and asks me to serve it I'd like a way to make sure it hasn't been
accidentally (or intentionally) changed. I'm assuming I'd want my name
server software to refuse to load the zone and try retransfer, throw an
error, or similar.
The signature could be (and the way I'd envisioned it) DNSSEC, so up to a
TA, or a manually configured key specific to the zone.


I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/b6a71e63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1223 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/b6a71e63/attachment.jpg>

More information about the dns-operations mailing list