Paul Wouters <p...@nohats.ca> wrote: > > We are looking at a way to distribute the root zone, presumably to > make the root servers less mission critical and for enhanced > privacy and reduced NXDOMAIN queries.
RFC 8198 with qname minimization give you the latter two. > We are depening on DNSSEC for integrity of the data, which just misses > glue/NS verification. I keep thinking it might make sense to sign non-authoritative delegation records, though it's really hard to see how we could get there from here. For instance, there isn't a flags field in RRSIG so you can't explicitly mark an RRset as being non-authoritative. > It seems the way to fix this would be to have well known recursive servers > (8.8.8.8, 1.1.1.1, 4.4.4.4, level3, opendns, etc) also offer the root > zone for AXFR. This just makes the surveillance capitalists part of your mission critical problem area, which isn't obviously an improvement. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fisher, German Bight: Southerly or southeasterly 4 or 5, occasionally 6 in west Fisher. Slight or moderate. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
