On Fri, Jul 27, 2018 at 06:17:37PM -0400, Paul Wouters wrote: > we can do AXFR but that would keep the root servers mission critical.
Also, the only currently practical channel security for AXFR is TSIG and it can't scale to hundreds of thousands of clients. Speaking as an implementer, I like AXFR from the traditional root servers as a method of distribution (despite the regrettable fact that half of them don't support AXFR; I wish they would). Reducing the root servers' central role isn't a major concern for me, and I don't think daily zone transfers from resolvers will overly tax them. The code's long-since implemented and mature and using it doesn't introduce a lot of new moving parts. However, the inability to verify a the correctness and completeness of a zone transfer (including the gluey bits) with an in-band signature *is* a problem. ZONEMD/XHASH solves it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop