On Thu, Jul 26, 2018 at 11:24 PM Davey Song <songlinj...@gmail.com> wrote:
> The draft says zone digest is not for protecting zone transmition. IMHO, > the treat model is MITM attack by malicious editing on on-disk data (NS > and glue especially) and server the new zone to end user. DNS digest > intends to enable end users (resolvers) automatically detect the > modifation ( and drop the zone?). > That is one possible threat, but I think it's pretty clear from mailing list discussion that verifying that the zone is transmitted correctly is one of the key use cases (whether that is post zone transfer verification, or out-of-band delivery): "It allows a receiver of the zone file to verify the zone file's authenticity, especially when used in combination with DNSSEC. This technique makes the message digest a part of the zone file itself, allowing anything to verify the zone file as a whole, no matter how it is transmitted." Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
