In article <7223eeb4-57a4-4c54-8c62-631b5fbee...@icann.org>, Edward Lewis <edward.le...@icann.org> wrote: >On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote: > >>The way that ZONEMD is defined in the draft, it's not very useful if the >>ZONEMD record isn't signed. > >That's my read too, which is why I question the incremental benefit over >relying on DNSSEC while doing the query/response >over port 53 "thing". Question, not doubt, that is.
As we may have mentioned once or twice before in this discussion, it lets you do zone transfers over insecure channels and batch verify the zone before using it. I agree that the consumer needs to implement DNSSEC, but the obvious consumer is a DNS server. On my setup, I batch sign the zones on the primary server and rsync them to the secondary. The setup is reasonably secure, dedicated dns user account on each machine and ssh for transport, but given the number of moving parts between signing and the secondary server and the chance of occasional bitrot, it'd be nice to be able to check that the zone is correct and get notified of failure immediately rather than hoping I notice odd resolution strangeness on the secondary. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
