On 1 Aug 2018, at 9:31, Paul Wouters wrote:
I strongly prefer a regular rrtype over any kind of special processing or complicating dnssec further.
Agree.
If axfr signatures aren’t enough because people envision non-dns zonefile transports, do a single ZONEMD, which signs the whole thing or only all records without RRSIG.
My proposed NONAUTH-RRSIG is not exclusively for zonefile transport. It would be useful for normal resolver-authoritative queries as well.
--Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
