I realize that hypothetically a malicious server could send you a large
file of garbage. ...
A lot of other updaters use HTTPS, which does not have this issue if
the terminating party is also the source of the data. ...
Doesn't that assume that the other server will never be compromised? I
realize that trying to guess how the other end might do bad things is a
rathole, which is why I don't want try to invent anything beyond what we
already have for dealing with downloaded files.
It seems to me that the clever bit about ZONEMD is that it uses the
existing DNSSEC keys so you don't have to invent a new key management
scheme.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
PS: I agree that a paragraph or two about other ways that people
distribute zone files wouldn't hurt.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
