On 8/13/18, 13:35, "John R Levine" <jo...@taugh.com> wrote:
>Hey, I have a great idea. We could make sure that the zone file received
>matches the zone file sent by including a hash of the zonee in a record in the
>zone. Whaddaya think?
In some sense, it's re-inventing the wheel.
>I realize you could refetch all the glue and check it but that's a lot more
>work.
Some code already does that, in the sense that the glue may be needed for other
queries.
If not, what happens if bad glue (meaning the address is not in use by the
intended server) is included? Either no response, lame server response, or a
response with false data. The first two are denials of service but the querier
ought to (as in not guaranteed to) be able to find another source. The latter
may be a mistake (neglected decommissioning of a zone when service is
transferred) or malicious (the user case usually in mind). For the latter to
"disrupt" the data would have to be correctly signed to get past DNSSEC
validation.
What this keeps coming back to is - is this new invention giving us anything
that DNSSEC doesn't already give us? As in, if it seems that DNSSEC is needed
to validate it, why not just validate the data we are after?
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
