> On 27 Jul 2018, at 12:39 pm, Steve Crocker <st...@shinkuro.com> wrote: > > The passage below puzzles me. Why do you want servers to get the root zone > from less trusted sources?
1) to spread load. 2) not all recursive servers have direct access to authoritative sources. Some times they need to go through intermediaries. The same will be true with transfers of the root zone. > And why does the source matter if the zone entries are DNSSEC-signed? Steve please go and re-read the parts you cut out when quoting the previous message. It gave several reasons. Also please look at what is and isn’t signed in a zone and think about what can be done when you can change the unsigned parts. Also think about what can be done when you change the signed parts but don’t individually verify the RRsets but rather just trust the zone content. I have a local copy of the root zone. It lives in a seperate view which is not accessed directly by clients The name server validate its contents when performing recursive lookups on behalf of clients. Such configurations are complicated and error prone. It also doesn’t remove potential privacy leaks. Having a way to verify the entire zone’s contents without having to verify every RRset individually after each zone transfer would make running such configurations easier. It also removes threats that DNSSEC alone does not remove. > Thanks, > > Steve > > Sent from my iPhone > >> On Jul 26, 2018, at 7:33 PM, Mark Andrews <ma...@isc.org> wrote: >> >> Additionally most nameservers treat zone data as fully trusted. This is >> reasonable when you are getting data from a “trusted" source. For the root >> zone we want servers to be able to get a copy of the zone from a untrusted / >> less trusted source. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop