<br><br>On Thursday, November 27, 2014, Paul Vixie <<a href="mailto:paul@redbarn.org">paul@redbarn.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<blockquote style="border:0px none" type="cite">
<div style="margin:30px 25px 10px 25px"><div style="display:table;width:100%;border-top:1px solid #edeef0;padding-top:5px"> <div style="display:table-cell;vertical-align:middle;padding-right:6px"><img src="cid:part1.08040900.05000201@redbarn.org" name="149f3408b047d629_postbox-contact.jpg" width="25px" height="25px"></div> <div style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a href="javascript:_e(%7B%7D,'cvml','warren@kumari.net');" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Warren Kumari</a></div> <div style="display:table-cell;white-space:nowrap;vertical-align:middle">
<font color="#9FA2A5"><span style="padding-left:6px">Thursday,
November 27, 2014 1:11 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px">... and Mark Andrews, Paul
Hofmann, Paul Wouters, myself and a few others (who I embarrassing
enough have forgotten) are planning on writing a "zone signature" draft
(I have an initial version in an edit buffet). The 50,000 meter view is:<div>Sort
all the records in canonical order (including glue)</div><div>Cryptographicly
sign this</div><div>Stuff the signature in a record</div><div><br></div><div>This
allows you to verify that you have the full and complete zone (.de...)
and that it didn't get corrupted in transfer.</div>
<div>This solves a different, but related issue.<br></div>
</div>
</blockquote>
<br>
would this draft change the setting of the AA bit on an secondary
server's responses, or make it unwilling to answer under some
conditions? right now there is no dependency, AA is always set. but if
we're going to make it conditional, then it should be conditioned on the
signatures matching all the way up-chain to a trust anchor, which would
require an authority server to also contain a validator and be able to
make iterative queries. so, i wonder about the use case for your draft.<br>
<br><br>
<div>-- <br>Paul Vixie<br>
</div>
</div></blockquote><div><br></div><div><br></div><div>This allows a slave (or anyone else who wants to validate a zone, e.g a master loading from disk) to know that they have a full and correct zone. This covers things like accidental zone truncation (which has bitten some folk), zone file corruption, etc. if someone hands me a zone somehow (e.g AXFR) and asks me to serve it I'd like a way to make sure it hasn't been accidentally (or intentionally) changed. I'm assuming I'd want my name server software to refuse to load the zone and try retransfer, throw an error, or similar.</div><div>The signature could be (and the way I'd envisioned it) DNSSEC, so up to a TA, or a manually configured key specific to the zone.</div><div><br></div><div>W<span></span></div><br><br>-- <br>I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf<br>