On 25 Jul 2018, at 12:30, Warren Kumari <war...@kumari.net> wrote: > One of the original promises of DNSSEC is that I'd be able to find a > zonefile written on a napkin on a bar floor, and trust it -- currently > I cannot do this.
I don't think this is correct. The main thrust of DNSSEC (as finally standardised) was to protect caches from poisoning -- in other words, to protect responses with cryptography. Zone files contain things that are not responses, but are used to obtain responses (like glue records, NS RRSets above a zone cut). I don't think it was ever a design goal to sign those, and hence it wasn't a design goal to sign zones in the way that you describe. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop