In article <m1fkrck-0000...@stereo.hq.phicoh.net> you write: >I think there is a big difference between distributing the root zone and >distributing a few 'local' zones. > >In the first case you need something that is massively scalable.
Fortunately, Cloudflare, Edgecast, Limelight, Azure, and Akamai are only a phone call away. That problem is pretty thoroughly solved. Whether you'd want to use them to distribute copies of root or TLD files is more of a political than a technical question. >In the second case, just create a tar file with a zone file and a hash, put >it up on a web server and the problem is solved. Verifying the contents of a >file is not exactly a new problem. It's not a new problem but it's not one we've addressed very well for the DNS. My DNS setup signs the zones and then uses rsync to distribute the zone files, which I don't think is unusual. I assume that rsync doesn't scramble the zones, but it'd be enough of a pain to create and distribute detached signatures that I don't. If the signer added ZONEMD at signing time which the servers could check before using the zones, I think that would be useful. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
