* Duane Wessels: > I wouldn't be opposed to this in principle -- say an RR count field.
That doesn't really bound the amount of transferred data, I think, because RR size can still vary widely. I believe something that counts the hashed bytes would be more helpful and about as easy to implement. > For this to be useful in an unsigned zone then all you need is for the > ZONEMD (with RR count field) to be received early in the AXFR. If it > is at the end then this field doesn't help. > > For a signed zone, we'd have to think about whether the ZONEMD record > should be DNSSEC validated before trusting the RR count field. If yes > then you need the signatures and NSEC* records too, so it becomes sort > of complex when you'd be able to trust and check the RR count. Could you query it before the transfer. > But it seems to me like this is better suited to be a feature of AXFR > in general, rather than ZONEMD. It depends on what you want to achieve with ZONEMD. If you want to prevent trivial, but potentially persistent DoS attacks with custom root servers, you need it in ZONEMD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
