On Fri, 27 Jul 2018 at 12:04, Evan Hunt <e...@isc.org> wrote:

> On Fri, Jul 27, 2018 at 11:24:33AM +0800, Davey Song wrote:
> > The draft says zone digest is not for protecting zone transmition.
>
> Where did it say that? I didn't notice it.
>

 I mean zone digest is not for zone transimition with channel security. On
page 4, the authors compare zone digest and Channel security.

   Unfortunately, the protections provided by these channel security
   techniques are ephemeral and are not retained after the data transfer
   is complete.  They can ensure that the client receives the data from
   the expected server, and that the data sent by the server is not
   modified during transmission.  However, they do not guarantee that
   the server transmits the data as originally published, and do not
   provide any methods to verify data that is read after transmission is
   complete.  For example, a name server loading saved zone data upon
   restart cannot guarantee that the on-disk data has not been modified.
   For these reasons, it is preferable to secure the data itself.

 Davey
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to