<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
<blockquote style="border: 0px none;"
cite="mid:20141129220046.GA55287@isc.org" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="each@isc.org" photoname="Evan Hunt"
src="cid:part1.05060902.06080904@redbarn.org"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:each@isc.org"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Evan Hunt</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Saturday,
November 29, 2014 2:00 PM</span></font></div></div></div>
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody"><div><!----><br>An
out-of-band signature can only cover an out-of-band transfer. An<br>in-band
signature could cover both kinds.
</div></div>
</blockquote>
well, sure, but at the expense of the secondary server having to read
every byte of the transferred zone contents, which is currently unnec'y
for servers using an mmap'd file that they only access sparsely and at
need. (whereas the prospective out-of-band transfer method already has
to touch every byte of the zone contents, and could therefore verify a
signature "for free".)<br>
<br>
this matters, because if the secondary server is going to have to
iterate through the whole zone after loading it, it might as well just
verify the DNSSEC signatures and NSEC chain. that wouldn't test for
"validity" of the zone, but it would be a consistency check of the same
depth as any zone-level signature could offer. and what's better is,
incremental changes via IXFR or UPDATE could then be tested
incrementally.<br>
<br>
here, i'm specifically thinking of zones so large that touching every
byte of their content is a multiple-minutes cost.<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>