<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
<blockquote style="border: 0px none;"
cite="mid:547B8A6F.70303@dougbarton.us" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dougb@dougbarton.us" photoname="Doug Barton"
src="cid:part1.07040904.00050802@redbarn.org"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:dougb@dougbarton.us"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Doug Barton</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Sunday, November
30, 2014 1:21 PM</span></font></div></div></div>
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody">...<br>
<br>We still need a way to verify the entire contents of the zone
however.
This goes beyond just transfers, it would be nice to be able to verify
that a zone downloaded using a method other than transfers is both
accurate and complete.
<br></div>
</blockquote>
<br>
why? (your use case is not obvious from what you've written.) are you
trying to ensure that errors that creep by TCP's error checking or that
result from silent sending-side failures where both the starting and
ending SOA are present but the middle is corrupt? or are you trying to
ensure that a tertiary server can't be lied to by its secondary server?<br>
<blockquote style="border: 0px none;"
cite="mid:547B8A6F.70303@dougbarton.us" type="cite">
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<br>I'm sensitive to your expectation that non-transfer methods should
provide their own security, and your argument that every new line of
code adds more fragility. However I do see the appeal of a standardized
way of demonstrating that a given zone is what it should be.<br>
</div>
</blockquote>
<br>
i'm not going to say whether i "see appeal". rather, i'll ask you, what
feature you want to add, how will it make the domain name system better
in some measurable way like performance, resilience, uptime, or
correctness, and why is it better than at least one and preferably two
alternatives you can think of, and also enough better than the status
quo to be worth the cost of its additional systemic complexity? in other
words can you do some engineering economics here rather than asserting
and then periodically re-asserting that some feature "would be nice" or
that you "see appeal"?<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>