<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div>Not meant to rain on the parade (but this sounds like it) - early on In the development of DNSSEC we spent a bit of time on SIG(AXFR) which is exactly what you described.</div><div><br></div><div>We toyed with it and discarded it. I forget why (which makes this a “rain on the parade” email) but for a long time afterwards we had series of jokes that ended with “that idea is as bad as SIG(AXFR).”</div><div><br></div><div>We being the folks in the lab in the 90’s.</div><div><br></div><div>…Perhaps it was an estimation of the workload involved on the servers (to do all the nasty crypto), complications from incremental updates (which were new then). We also wrote servers to verify all records upon (authoritative) load and that was discarded because it took forever to start the server – probably related.</div><div><br></div><div>Maybe someone else on the list recalls why SIG(AXFR) was killed off.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div><div>On 11/27/14, 16:11, "Warren Kumari" <<a href="mailto:warren@kumari.net">warren@kumari.net</a>> wrote:</div></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div>
... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who I embarrassing enough have forgotten) are planning on writing a "zone signature" draft (I have an initial version in an edit buffet). The 50,000 meter view is:
<div>Sort all the records in canonical order (including glue)</div><div>Cryptographicly sign this</div><div>Stuff the signature in a record</div><div><br></div><div>This allows you to verify that you have the full and complete zone (.de...) and that it didn't get corrupted in transfer.</div><div>This solves a different, but related issue.</div><div><br></div><div>Hope to finally get off my butt and post -00 soon.</div><div><br></div><div>W<span></span><br><br>
On Thursday, November 27, 2014, Richard Lamb <<a href="mailto:richard.lamb@icann.org">richard.lamb@icann.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Having worked on solas at Intl maritime org, I agree with David. There are many parallels to that space and domain name space. We should learn from that experience.<br><br>
Rick<br><br><br>
Sent from my iPhone<br><br>
> On Nov 27, 2014, at 11:19, David Conrad <<a href="javascript:;" onclick="_e(event, 'cvml', 'drc@virtualized.org')">drc@virtualized.org</a>> wrote:<br>
><br>
> Patrik,<br>
><br>
>> On Nov 26, 2014, at 10:40 PM, Patrik Fältström <<a href="javascript:;" onclick="_e(event, 'cvml', 'paf@frobbit.se')">paf@frobbit.se</a>> wrote:<br>
>> FWIW, I have been working on this for a while with the Diplo foundation, and I am happy to answer questions (and of course listen to concerns).<br>
><br>
> It is an interesting idea, but I don't get how it would work. I asked Jovan back when he initially proposed it, but never heard back.<br>
><br>
> Is the theory behind this that governments around the world would enter into some sort of treaty or some other formally binding vehicle that would make the root zone inviolable? What would be the sanctions should the holder of the root zone (whoever it might
be) ignore the inviolability of the root zone and how would they be enforced? How is that going to work given (e.g.) the US hasn't even been able to ratify the Treaty of the Sea and internal domestic politics will generally override any international agreement
at politicians' whim?<br>
><br>
> Regards,<br>
> -drc<br>
><br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="javascript:;" onclick="_e(event, 'cvml', 'dns-operations@lists.dns-oarc.net')">
dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">
https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> dns-jobs mailing list<br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br><br>
_______________________________________________<br>
dns-operations mailing list<br><a href="javascript:;" onclick="_e(event, 'cvml', 'dns-operations@lists.dns-oarc.net')">dns-operations@lists.dns-oarc.net</a><br><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br></blockquote></div><br><br>
-- <br>
I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br>
---maf<br></div></div></blockquote></span></body></html>