In article <d2923107-b7d1-4ed6-aac6-c65553bde...@isc.org> you write: >Mail headers doesn’t have NSEC records. Also any operation where you need to >reconstruct the file by combining bits from >different places/channels is prone to errors. > >You need to know the hash is valid before you start the download. Therefore >the hash has to be signed.
We must have some basic difference in our mental models here. Mine is: 1. Download the zone from wherever. 2. Sort the records and compute the hash. 3. Check that the hash you computed matches the one in the ZONEMD. 4. Check that the DNSSEC signature of the ZONEMD is valid. If all that works, use the zone. If not, throw it away. What am I missing? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
