At Fri, 27 Jul 2018 10:59:53 +0800, Davey Song <songlinj...@gmail.com> wrote:
> > The problem is that when you have every recursive server in the world with > > a copy of the root zone from “random places” you want to reduce the > > possible error spaces into manageable chunks when things go wrong which > > they will. Being able to verify the contents of the root zone you have are > > not modified helps. > > Generaly speaking it is ture for any file replication. But it is not > relevent with DNS context. Right, so I think one main question is why the root DNS zone case is so special that a protocol extension is justified. Personally, I'm not yet fully convinced about it through the discussion so far. As several other people seem to be persuaded, however, maybe I'm too wary just because of my hat of handling eventual "named triggers an assertion failure after zone transfer for some bogus zone digest" CVEs. But at the same time, if my sense of the wg's take on the "DNS camel" discussion is correct, I think we (WG) should require a higher level of justification for new protocol features. Again, personally, I don't yet think draft-wessels-dns-zone-digest has passed this test. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
