>> If the resolver is not validating, the ZONEMD assures that all the records >> are there. The strength of that assurance is the same as the second >> pre-image >> strength of the hash. However, the resolver cannot say "oh, look, now I can >> start resolving with what I got in the zone transfer": it still needs to >> validate every RRSIG all the way to the root. > >That's not what people are going to do. They are going to grab the >AXFR'ed data, check the checksum and throw it in the "validated" cache >and they won't revalidate every root zone entry they are about to serve.
Why would my copy of nsd handle it differently than the copy of the root it AXFRs now? Also, still wondering about that second preimage downgrade attack. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
