On Fri, Jul 27, 2018 at 3:02 PM 神明達哉 <jin...@wide.ad.jp> wrote: > > At Fri, 27 Jul 2018 10:59:53 +0800, > Davey Song <songlinj...@gmail.com> wrote: > > > > The problem is that when you have every recursive server in the world with > > > a copy of the root zone from “random places” you want to reduce the > > > possible error spaces into manageable chunks when things go wrong which > > > they will. Being able to verify the contents of the root zone you have > > > are > > > not modified helps. > > > > Generaly speaking it is ture for any file replication. But it is not > > relevent with DNS context. > > Right, so I think one main question is why the root DNS zone case is > so special that a protocol extension is justified. Personally, I'm > not yet fully convinced about it through the discussion so far. As > several other people seem to be persuaded, however, maybe I'm too wary > just because of my hat of handling eventual "named triggers an > assertion failure after zone transfer for some bogus zone digest" > CVEs. But at the same time, if my sense of the wg's take on the "DNS > camel" discussion is correct, I think we (WG) should require a higher > level of justification for new protocol features.
This can, but does not have, to be built into the nameserver itself. As examples, Shane Kerr has created https://github.com/shane-kerr/ZoneDigestHackathon and Duane has created https://github.com/verisign/ldns-zone-digest Both of these can be used as external utilities to validate a zone file. I'd be perfectly happy doing something like: 'dig AXFR . @b.root-servers.net > root.zone (or wget https://www.internic.net/domain/root.zone ) ldns-zone-digest -v . root.zone if [ $? -eq 0 ] then `rndc reload .` else send_alert_critical.sh "Local root zone issue" "Panic\! Unable to load new root zone" fi' (obviously with more error checking :-)) I'm also somewhat more paranoid than most - I'd personally also like to be able to do something like: for file in * do ldns-zone-digest -v $file $file.zone if [ $? -ne 0 ] then echo "${file} has been corrupted. Aborting..." exit 1 fi done in my init scripts. I also used to host a zone for a friend who doesn't run his own nameserver. He would email the the zonefile whenever he made changes, and I would copy and paste it into a file[0] - it sure would have been nice to be able to run something like 'named-checkzone foo foo' and make sure I'd copied and pasted the whole thing correctly... W [0]: He wasn't really the sort of person I wanted to give a shell on my machine to :-) > Again, personally, > I don't yet think draft-wessels-dns-zone-digest has passed this test. > > -- > JINMEI, Tatuya > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
