[dns-operations] cool idea regarding root zone inviolability

Francisco Obispo fobispo at uniregistry.link
Thu Nov 27 22:40:17 UTC 2014


+1

And if someone is already serving the root zone, they can always modify the server to return AA.

I'm also wondering about the use case.

Francisco Obispo

> On Nov 27, 2014, at 1:55 PM, Paul Vixie <paul at redbarn.org> wrote:
> 
> 
> 
>> <postbox-contact.jpg>	Warren Kumari	Thursday, November 27, 2014 1:11 PM
>> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who I embarrassing enough have forgotten) are planning on writing a "zone signature" draft (I have an initial version in an edit buffet). The 50,000 meter view is:
>> Sort all the records in canonical order (including glue)
>> Cryptographicly sign this
>> Stuff the signature in a record
>> 
>> This allows you to verify that you have the full and complete zone (.de...) and that it didn't get corrupted in transfer.
>> This solves a different, but related issue.
> 
> would this draft change the setting of the AA bit on an secondary server's responses, or make it unwilling to answer under some conditions? right now there is no dependency, AA is always set. but if we're going to make it conditional, then it should be conditioned on the signatures matching all the way up-chain to a trust anchor, which would require an authority server to also contain a validator and be able to make iterative queries. so, i wonder about the use case for your draft.
> 
> -- 
> Paul Vixie
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/7123a6ca/attachment.html>


More information about the dns-operations mailing list