[dns-operations] cool idea regarding root zone inviolability
dougb at dougbarton.us
Sun Nov 30 21:21:51 UTC 2014
On 11/29/14 2:57 PM, Paul Vixie wrote:
> this matters, because if the secondary server is going to have to
> iterate through the whole zone after loading it, it might as well just
> verify the DNSSEC signatures and NSEC chain.
That's an incomplete solution due to the things that DNSSEC doesn't
cover (I'm thinking particularly of delegation NS records here).
> that wouldn't test for
> "validity" of the zone, but it would be a consistency check of the same
> depth as any zone-level signature could offer. and what's better is,
> incremental changes via IXFR or UPDATE could then be tested incrementally.
Doing a "validity" signature on a per-RRset basis has a lot going for
it, not the least of which is making the incremental updates easier.
We still need a way to verify the entire contents of the zone however.
This goes beyond just transfers, it would be nice to be able to verify
that a zone downloaded using a method other than transfers is both
accurate and complete.
I'm sensitive to your expectation that non-transfer methods should
provide their own security, and your argument that every new line of
code adds more fragility. However I do see the appeal of a standardized
way of demonstrating that a given zone is what it should be.
More information about the dns-operations