On Fri, 27 Jul 2018, Warren Kumari wrote:
This can, but does not have, to be built into the nameserver itself.
Those are just more arguments to not have a DNS checksum/sig option. What I see is that: We are looking at a way to distribute the root zone, presumably to make the root servers less mission critical and for enhanced privacy and reduced NXDOMAIN queries. We are depening on DNSSEC for integrity of the data, which just misses glue/NS verification. we can do AXFR but that would keep the root servers mission critical. glue/NS verification isn't needed normally, because we would just need a single working entry to pull the new root zone from one of the root servers - but then we depend again on the root servers as critical infrastructure which is something we seem to want to try and avoid. maybe this is also useful for non-root zones, so the method was sort of made to apply generically. I think the use for non-root zones is quite a different use case, so if I ignore that, we are looking at specifically the root zone only. What is the pain of getting a root zone file from an unknown/untrusted source ? - transport seurity isn't enough (so no (D)TLS) - detached sigs like pgp too annoying/hard? (two files instead of one, or the one file needs preprocessing before giving it to DNS tools) - we have to validate it with the known key (so some tooling needed) - glue/ns could be filtered (either a ddos, or a privacy concern?) - we cannot depend on finding 1 working root server and then AXFR it to confirm, assuming that would be too much load on the existing root servers (although load of junk queries would decrease if this is deployed) It seems the way to fix this would be to have well known recursive servers (8.8.8.8, 1.1.1.1, 4.4.4.4, level3, opendns, etc) also offer the root zone for AXFR. If you get something that does not work, fall back to standard recursive root zone queries based on the buildin hints file. We could also do some /.well-known/root.zone URI to allow for other https/tls servers for serving the zone without being a public resolver, eg for enterprise or isp network use only? Maybe a dhcp option to point to the location? Additionally, these servers could allow downloads of the root zone via HTTPS/TLS/etc for those tools that want to write a root zone file to disk for re-use or for preloading a resolver cache on startup ? In all of this, I don't see much use in protecting the root zone with either ZONEMD or XHASH. If the NS/glue is mangled to the point of being unusable to refresh the root zone, drop the garbage and do traditional DNS querying from the preloaded hints or previous copy of the root zone. If ZONEMD or XHASH was a regular record with no special handling, maybe it could be worth it, but it is a very a-typical RRTYPE and I think there isn't a very strong case for adding it to the DNS system. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
