On Tue, Jun 19, 2018 at 10:32 AM Petr Špaček <petr.spa...@nic.cz> wrote:
> > I think we need to first answer question why existing technologies do > not fit the purpose. > This is a reasonable question. I noticed that the draft doesn't mention SIG(0) at all. One of the main motivators of the draft is stated to be secure, wide scale distribution of the root zone. To me, SIG(0) would have been an obvious candidate solution for this problem. The zone owner can publish one public key to the world, and signs zone transfers messages with the corresponding secret key. If the zone owner supports IXFR, the incremental cost of these message signatures is also quite small. Possible issues with SIG(0): * Although it is an existing technology, it isn't widely implemented or used. I just learned on DNS twitter that BIND only supports SIG(0) for UPDATE for example, and not XFR. * If the goal is to support secure acquisition of the zone outside the DNS protocol, then it can't do that. But neither is ZONEMD needed for that - we can use an out of band signature using a variety of methods. * And there is also the question of the status of SIG(0) which isn't clear to me: Although RFC 2931 is not obsolete, it is based on the SIG record, which is defined in an RFC that has been obsoleted by the DNSSEC-bis documents. -- Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop