[dns-operations] cool idea regarding root zone inviolability

[Mark Andrews]

In message <54779DD0.4070009 at redbarn.org>, Paul Vixie writes:
> > Warren Kumari <mailto:warren at kumari.net>
> > Thursday, November 27, 2014 1:11 PM
> > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few
> > others (who I embarrassing enough have forgotten) are planning on
> > writing a "zone signature" draft (I have an initial version in an edit
> > buffet). The 50,000 meter view is:
> > Sort all the records in canonical order (including glue)
> > Cryptographicly sign this
> > Stuff the signature in a record
> >
> > This allows you to verify that you have the full and complete zone
> > (.de...) and that it didn't get corrupted in transfer.
> > This solves a different, but related issue.
> 
> would this draft change the setting of the AA bit on an secondary
> server's responses, or make it unwilling to answer under some
> conditions? right now there is no dependency, AA is always set. but if
> we're going to make it conditional, then it should be conditioned on the
> signatures matching all the way up-chain to a trust anchor, which would
> require an authority server to also contain a validator and be able to
> make iterative queries. so, i wonder about the use case for your draft.
> 
> -- 
> Paul Vixie

Just having a cryptographically strong zone self consistancy check
is a big win with IXFR.  If that fails you AXFR the zone and try
again.

For the root zone you don't need a iterative validator as you would
have the root as a trust anchor and in general a authoritative
server needs a interative resolver for NOTIFY.

As to whether you iterate or not also depends on the trust anchors
installed, whether the keys are RFC 5011 managed or similar.  Having
a managed trust anchor for every zone isn't a be deal.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org