Hi,
I don't fully know the background of this topic, so my question might be
dumb.
Often the zone operators work with both un-signed and signed "versions"
of their zone. The un-signed version usually comes from a registry
system or a database, whereas a "signer" server adds "the DNSSEC stuff",
like DNSKEYs, RRSIGs, NSECs, etc. It's also usually possible to do the
reverse: strip DNSSEC-related records from signed zone, if needed.
I feel like it would be equally useful to maintain a digest of the
un-signed and signed version of the zone, respectively.
Does the calculation of ZONEMD include the DNSSEC-related records? Have
you maybe thought about including two such records, for both cases?
Thanks for comments,
Libor
Dne 25.09.20 v 22:09 internet-dra...@ietf.org napsal(a):
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.
Title : Message Digest for DNS Zones
Authors : Duane Wessels
Piet Barber
Matt Weinberg
Warren Kumari
Wes Hardaker
Filename : draft-ietf-dnsop-dns-zone-digest-11.txt
Pages : 36
Date : 2020-09-25
Abstract:
This document describes a protocol and new DNS Resource Record that
provides a cryptographic message digest over DNS zone data. The
ZONEMD Resource Record conveys the digest data in the zone itself.
When a zone publisher includes a ZONEMD record, recipients can verify
the zone contents for accuracy and completeness. This provides
assurance that received zone data matches published data, regardless
of how the zone data has been transmitted and received.
ZONEMD does not replace DNSSEC. Whereas DNSSEC protects individual
RRSets (DNS data with fine granularity), ZONEMD protects a zone's
data as a whole, whether consumed by authoritative name servers,
recursive name servers, or any other applications.
As specified herein, ZONEMD is impractical for large, dynamic zones
due to the time and resources required for digest calculation.
However, The ZONEMD record is extensible so that new digest schemes
may be added in the future to support large, dynamic zones.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-11
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-zone-digest-11
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dns-zone-digest-11
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
