In message <54779dd0.4070...@redbarn.org>, Paul Vixie writes: > > Warren Kumari <mailto:war...@kumari.net> > > Thursday, November 27, 2014 1:11 PM > > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few > > others (who I embarrassing enough have forgotten) are planning on > > writing a "zone signature" draft (I have an initial version in an edit > > buffet). The 50,000 meter view is: > > Sort all the records in canonical order (including glue) > > Cryptographicly sign this > > Stuff the signature in a record > > > > This allows you to verify that you have the full and complete zone > > (.de...) and that it didn't get corrupted in transfer. > > This solves a different, but related issue. > > would this draft change the setting of the AA bit on an secondary > server's responses, or make it unwilling to answer under some > conditions? right now there is no dependency, AA is always set. but if > we're going to make it conditional, then it should be conditioned on the > signatures matching all the way up-chain to a trust anchor, which would > require an authority server to also contain a validator and be able to > make iterative queries. so, i wonder about the use case for your draft. > > -- > Paul Vixie
Just having a cryptographically strong zone self consistancy check is a big win with IXFR. If that fails you AXFR the zone and try again. For the root zone you don't need a iterative validator as you would have the root as a trust anchor and in general a authoritative server needs a interative resolver for NOTIFY. As to whether you iterate or not also depends on the trust anchors installed, whether the keys are RFC 5011 managed or similar. Having a managed trust anchor for every zone isn't a be deal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
