On Fri, 27 Jul 2018 at 12:04, Evan Hunt <e...@isc.org> wrote: > On Fri, Jul 27, 2018 at 11:24:33AM +0800, Davey Song wrote: > > The draft says zone digest is not for protecting zone transmition. > > Where did it say that? I didn't notice it. >
I mean zone digest is not for zone transimition with channel security. On page 4, the authors compare zone digest and Channel security. Unfortunately, the protections provided by these channel security techniques are ephemeral and are not retained after the data transfer is complete. They can ensure that the client receives the data from the expected server, and that the data sent by the server is not modified during transmission. However, they do not guarantee that the server transmits the data as originally published, and do not provide any methods to verify data that is read after transmission is complete. For example, a name server loading saved zone data upon restart cannot guarantee that the on-disk data has not been modified. For these reasons, it is preferable to secure the data itself. Davey
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop