> On Jul 23, 2018, at 1:47 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > The messages on this thread seem to alternate between this being a zone hash > and a zone signature. There is a pretty large difference between the > requirements and uses for each.
Thanks for pointing this out. On the chance that someone is unclear about what we propose in the dns-zone-digest draft (AKA ZONEMD), it is this: ZONEMD is a hash (message digest) of the zone contents in canonical wire format. The hash alone provides weak security and the ability to detect unintentional changes or tampering. It uses the same hashing algorithms that DS uses. When used with a DNSSEC-signed zone, ZONEMD provides much stronger security guarantees. The ZONEMD record is signed like all the other records in a zone. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
