[dns-operations] cool idea regarding root zone inviolability
Warren Kumari
warren at kumari.net
Thu Nov 27 22:48:12 UTC 2014
On Thursday, November 27, 2014, Francisco Obispo <fobispo at uniregistry.link>
wrote:
> +1
>
> And if someone is already serving the root zone, they can always modify
> the server to return AA.
>
> I'm also wondering about the use case.
>
See above - this has *nothing* to do with setting or not setting AA. This
simply allows the entity serving a zone to confirm that they have a
complete, uncorrupt, and untampered copy of the zone. Think of it as a
cryptographic checksum if you like.
Before serving a zone (as a master or slave) I'd like to know it is
correct...
W
>
> Francisco Obispo
>
> On Nov 27, 2014, at 1:55 PM, Paul Vixie <paul at redbarn.org
> <javascript:_e(%7B%7D,'cvml','paul at redbarn.org');>> wrote:
>
>
>
> <postbox-contact.jpg>
> Warren Kumari <javascript:_e(%7B%7D,'cvml','warren at kumari.net');>
> Thursday, November 27, 2014 1:11 PM
> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others
> (who I embarrassing enough have forgotten) are planning on writing a "zone
> signature" draft (I have an initial version in an edit buffet). The 50,000
> meter view is:
> Sort all the records in canonical order (including glue)
> Cryptographicly sign this
> Stuff the signature in a record
>
> This allows you to verify that you have the full and complete zone
> (.de...) and that it didn't get corrupted in transfer.
> This solves a different, but related issue.
>
>
> would this draft change the setting of the AA bit on an secondary server's
> responses, or make it unwilling to answer under some conditions? right now
> there is no dependency, AA is always set. but if we're going to make it
> conditional, then it should be conditioned on the signatures matching all
> the way up-chain to a trust anchor, which would require an authority server
> to also contain a validator and be able to make iterative queries. so, i
> wonder about the use case for your draft.
>
> --
> Paul Vixie
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> <javascript:_e(%7B%7D,'cvml','dns-operations at lists.dns-oarc.net');>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141127/1d252fd3/attachment.html>
More information about the dns-operations
mailing list