On 15. 02. 26 19:33, Joe Abley wrote:
On 4 Feb 2026, at 10:27, Libor Peltan
<[email protected]> wrote:
As a DNS nerd, I also favor AXFR/IXFR for local root updates.
Just curious, why?
I understand that when you live and breathe DNS zone transfer as a
concept looks and feels a certain way, but do you see technical
advantages to using AXFR over (say) HTTPS?
Tremendous attack surface of HTTP and TLS ecosystem, plus extra
dependencies for HTTP library which was nonexistent before.
When we write "HTTP" is actually 4 software stacks for, namely:
- HTTP/1
- HTTP/2
- TLS
- HTTP/3 / QUIC
Each implemented as separate library with its own quirks.
I've been personally dealing with DoH bugs since it's inception and the
amount of time DNS engineers spent on working about HTTP/TLS quirks is
astonishing, and new attacks are being looked for as we speak.
One way to deal with this would be something like 'MUST support HTTP/3',
but I'm not sure if it is practical at this point. Doing 'MUST HTTP/2'
would be easier to achieve in practice but hey, isn't it weird to peg an
old protocol?
Anyway, I second Ben Schwarz's opinion that we really need
self-contained DNS solution. HTTP can be optional in case given DNS
implementation has to deal with HTTP because of other reasons.
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
