> On Jun 20, 2018, at 11:19 PM, Petr Špaček <petr.spa...@nic.cz> wrote: > >> >> Longer term, perhaps the best solution will end up being XFR using DNS over >> TLS (or HTTPS) with server authentication. Yes, I realize that authoritative >> servers are not yet the targets of those protocols, but it's probably >> only a matter >> of time. > > HTTPS over TLS is what we did for root zone import into Knot Resolver's > cache (from version 2.3 onwards but beware, there are little bugs which > were fixed in 2.4 - to be released soon).
The problem I'm seeking to solve is somewhat different, and its probably not clearly stated in the draft so I will add some text to rectify that. I'm not trying to solve the problem that SIG(0), SIG(AXFR), or TLS addresses -- that you're talking to the right server and that data wasn't modified in transit. My goal is to ensure that when you receive a zone file -- however you receive it (DNS, HTTPS, P2P file sharing, Avian Carrier) -- you get the data that the zone publisher actually published. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop