but the obvious consumer is a DNS server.
Maybe, maybe not. I've seen DNS used in turnkey ways. Nevertheless,
given the complexity of DNSSEC validation, a wise implementer should
re-use the parts of a DNS server for this.
If the question is whether one might use this to create a kludge and shoot
yourself in the foot, well, sure, but in the DNS world that goes without
saying. On the other hand, I would think that in a reasonbly well written
DNSSEC implementation it wouldn't be too hard to reuse the code that
checks the signature on a record received as a response to a query to
check the signature on the ZONEMD.
it'd be nice to be able to check that the zone is correct and get notified of
failure
There are many existing tools for such a set up. For one, use a VPN or
in-band channel security, and/or make sure the zone file received
matches the zone file sent.
Hey, I have a great idea. We could make sure that the zone file received
matches the zone file sent by including a hash of the zonee in a record in
the zone. Whaddaya think?
R's,
John
PS:
In essence, what would do DNSSEC validation for the ZONEMD and not for data
sets within the zone?
The glue. I realize you could refetch all the glue and check it but
that's a lot more work.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
