Hi Joe,
Dne 29.09.20 v 15:03 Joe Abley napsal(a):
The other use case I seem to think you're implying is that a consumer of the
signed zone could verify that it was intact using the signed-zone ZONEMD, then
strip the DNSSEC RRs and retain the ability to verify that the result was an
accurate representation of the unsigned zone using the unsigned-zone ZONEMD.
This seems like a slightly odd thing to want to do, but perhaps I'm just not
thinking hard enough?
Joe
yes, something like this.
My initial thought was that the signer, which converts the un-signed
zone by adding signatures and keys, might not be able to compute/update
the ZONEMD record.
It might also be useful, when the zone is only re-signed and otherwise
unchanged, if the zone checksum was unchanged.
I'm not sure. This is just a thing to be thought of.
I would love if there was a bit flag indicating if the checksum has been
computed including DNSSEC records, or without them. This would let the
freedom of choice on the users, while adding some complexity to software
implementation.
Thanks for consideration,
Libor
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
