[dns-operations] cool idea regarding root zone inviolability

Tony Finch dot at dotat.at
Sun Nov 30 14:26:51 UTC 2014


Paul Vixie <paul at redbarn.org> wrote:
>
> dan kaminsky proposed several years ago that a stub be able to request,
> by EDNS, the full RRSIG/DNSKEY/DS chain from the qname upward to some
> specified TA, to permit stub validation without requiring a stub cache
> or to spend many round trips on a validation.

You can do that with the current DNS protocol: just send all the queries
and wait for all the replies. (This is particularly easy over TCP.)
There's no need for more than one round trip in most cases, or maybe two
if the answer involves CNAME/MX/SRV etc.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Iceland: Southerly veering southwesterly 7 to severe gale 9,
occasionally storm 10 for a time in northwest. Rough or very rough, becoming
high. Rain then wintry showers. Moderate, occasionally poor.



More information about the dns-operations mailing list