+1 And if someone is already serving the root zone, they can always modify the server to return AA.
I'm also wondering about the use case. Francisco Obispo > On Nov 27, 2014, at 1:55 PM, Paul Vixie <p...@redbarn.org> wrote: > > > >> <postbox-contact.jpg> Warren Kumari Thursday, November 27, 2014 >> 1:11 PM >> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others >> (who I embarrassing enough have forgotten) are planning on writing a "zone >> signature" draft (I have an initial version in an edit buffet). The 50,000 >> meter view is: >> Sort all the records in canonical order (including glue) >> Cryptographicly sign this >> Stuff the signature in a record >> >> This allows you to verify that you have the full and complete zone (.de...) >> and that it didn't get corrupted in transfer. >> This solves a different, but related issue. > > would this draft change the setting of the AA bit on an secondary server's > responses, or make it unwilling to answer under some conditions? right now > there is no dependency, AA is always set. but if we're going to make it > conditional, then it should be conditioned on the signatures matching all the > way up-chain to a trust anchor, which would require an authority server to > also contain a validator and be able to make iterative queries. so, i wonder > about the use case for your draft. > > -- > Paul Vixie > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
