Matthijs, On Jan 15, 2015, at 5:13 AM, Matthijs Mekking <matth...@pletterpet.nl<mailto:matth...@pletterpet.nl>> wrote:
IXFR with DNSSEC is suddenly not so small anymore. Do you recognize this? Olafur and I have some ideas on keeping those zone transfers small. Your feedback is appreciated. http://www.ietf.org/internet-drafts/draft-mekking-mixfr-01.txt I support this draft. Steps that can improve the efficiency of DNS are good in my mind (where reduced packet size is to me being efficient). In the Security Considerations section you are asking what you should include in there. I think what you say about using MIXFR over a secure channel and with TSIG is a good recommendation. The question would really be to me - can an attacker do anything different with MIXFR than with IXFR? Could an attacker, for instance, use MIXFR to delete RRSIGs so that portions of a zone were then unsigned? Could multiple MIXFR records be sent at the same time to create confusion? Could a MIXFR be used for a DoS attack? And is any of that different from IXFR? (Or should you then just reference the Security Considerations for IXFR?) I don’t know the answers… but those are the kinds of things I think would be good to discuss in the Security Considerations area. Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org<mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org<mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
