In article <ba2da98c-af02-4a6c-a607-94ef3daf3...@gmail.com> you write: >What ZONEMD would provide is a method of validation of the non-authoritative >A/AAAA (glue) for the TLD itself.
No, assuming that the ZONEMD is signed, it just tells you that your copy of the zone has the same glue as the one the zone's publisher signed. As others have noted it may or may not be possible to verify the glue separately depending on what other zones are signed. How about if we pare down the draft to say that a signed ZONEMD attests that the zone has been copied unmodified from the signer, and leave it at that. It's not a substitute for DNSSEC. It's a way to reliably transfer signed zones over channels other than AXFR. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
