Mail headers doesn’t have NSEC records. Also any operation where you need to reconstruct the file by combining bits from different places/channels is prone to errors.
You need to know the hash is valid before you start the download. Therefore the hash has to be signed. O. -- Ondřej Surý — ISC On 29 Jul 2018, at 06:50, John R Levine <jo...@taugh.com> wrote: >> Therefore either you need to exclude the data that changes (hash and its >> RRSIG) when computing the hash for the BitTorrent and the receiving side >> would have to reassemble this. Or you would need OOB mechanism to distribute >> the hash (different part of the tree, CDN, ...). > > Of course you exclude the hash record from the hash. Look at the way we do > DKIM signatures -- the header hash includes all the headers including the > signature header, but it pretends there's no hash field in it. > > I'm also thinking the hash wouldn't need to include the RRSIG records, since > those are mechanically derived from the underlying records and the ZSK. > > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop