[dns-operations] cool idea regarding root zone inviolability

Paul Vixie paul at redbarn.org
Sat Nov 29 22:57:56 UTC 2014

> Evan Hunt <mailto:each at isc.org>
> Saturday, November 29, 2014 2:00 PM
> An out-of-band signature can only cover an out-of-band transfer. An
> in-band signature could cover both kinds.
well, sure, but at the expense of the secondary server having to read
every byte of the transferred zone contents, which is currently unnec'y
for servers using an mmap'd file that they only access sparsely and at
need. (whereas the prospective out-of-band transfer method already has
to touch every byte of the zone contents, and could therefore verify a
signature "for free".)

this matters, because if the secondary server is going to have to
iterate through the whole zone after loading it, it might as well just
verify the DNSSEC signatures and NSEC chain. that wouldn't test for
"validity" of the zone, but it would be a consistency check of the same
depth as any zone-level signature could offer. and what's better is,
incremental changes via IXFR or UPDATE could then be tested incrementally.

here, i'm specifically thinking of zones so large that touching every
byte of their content is a multiple-minutes cost.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141129/d6955d1d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141129/d6955d1d/attachment.jpg>

More information about the dns-operations mailing list