* John R. Levine: >>>> that the served zone is too large. Otherwise, the receiver has to >>>> download the entire zone before it can determine that the hash does >>>> not match. ... > >> On the other hand, clients will likely have a pretty good idea for the >> size of the zone, so they could transfer it twice: ... > > Now I'm really confused. To avoid downloading the whole zone you download > it twice? > > Could you explain in simple terms why you can't download the zone, check > the digest and signature, and either use it or discard it?
A malicious server might never stop sending data, or claim that the transfer is ridiculously large. If the zone digest does not include information about the amount of data, this can only be detected after the server ended transmission, at which time the ZONEMD digest can be compared. But at this point, the client may already have filled its storage with garbage data, unless the double transfer trick is used. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop