[dns-operations] cool idea regarding root zone inviolability

Paul Vixie paul at redbarn.org
Sat Nov 29 00:22:17 UTC 2014

> Fred Morris <mailto:m3047 at m3047.net>
> Friday, November 28, 2014 3:07 PM
> ... is not mathematically necessary. As a simple counterexample, XOR is
> commutative and associative: it doesn't matter the order you XOR multiple
> blocks in. Not saying XOR is the One True Way, just that implementation
> details like that are probably a distraction at this point.

any zone-level signature has to be crypto-authentic. XOR is too easy to
"fix up", as in, add or delete your desired changes, compare the new
checksum to the old one, then add a TXT RR that causes the new checksum
to match the old one.

so, i'm not in favour of zone-level signatures per se, but if they're
coming, then marka at isc's characterization of them as "sorting and
hashing" is mathematically nec'y.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141128/13d0934a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141128/13d0934a/attachment.jpg>

More information about the dns-operations mailing list