[dns-operations] cool idea regarding root zone inviolability

Doug Barton dougb at dougbarton.us
Sun Nov 30 21:21:51 UTC 2014

On 11/29/14 2:57 PM, Paul Vixie wrote:
> this matters, because if the secondary server is going to have to
> iterate through the whole zone after loading it, it might as well just
> verify the DNSSEC signatures and NSEC chain.

That's an incomplete solution due to the things that DNSSEC doesn't 
cover (I'm thinking particularly of delegation NS records here).

> that wouldn't test for
> "validity" of the zone, but it would be a consistency check of the same
> depth as any zone-level signature could offer. and what's better is,
> incremental changes via IXFR or UPDATE could then be tested incrementally.

Doing a "validity" signature on a per-RRset basis has a lot going for 
it, not the least of which is making the incremental updates easier.

We still need a way to verify the entire contents of the zone however. 
This goes beyond just transfers, it would be nice to be able to verify 
that a zone downloaded using a method other than transfers is both 
accurate and complete.

I'm sensitive to your expectation that non-transfer methods should 
provide their own security, and your argument that every new line of 
code adds more fragility. However I do see the appeal of a standardized 
way of demonstrating that a given zone is what it should be.



More information about the dns-operations mailing list