Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Viktor Dukhovni Thu, 09 Aug 2018 17:22:15 -0700

On Thu, Aug 09, 2018 at 02:19:08PM +0000, Edward Lewis wrote:

> FWIW, this message was spurred by this comic strip [yes, today as I write]: 
> http://dilbert.com/strip/2018-08-09.


Cute.

> "Will the time taken to generate and verify this record add to the security 
> of a zone transfer?"

Perhaps a sensible way to secure zone transfer is at the transport
layer.  Presumably DNS over TLS is comaptible with AXFR.  If desired
authentication can be via DANE.  Just publish a TLSA RRset:

        example.net. IN SOA nsa.example.net. hostmaster.example.net. ...
        example.net. IN NS nsa.example.net.
        nsa.example.net. IN A 192.0.2.1
        _853._tcp.nsa.example.net. IN TLSA 3 1 1 
fbefbd9e5b54696792bab92cf329669edaca16d0b09dcfdd16fe3e1bd8ab08e9

and do the AXFR transfer over TLS.  This does not require pre-computation
of a zone checksum.  Just obtain the zone transfer from a suitably
trusted source.

-- 
        Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Reply via email to