On Tue, 31 Jul 2018, Matt Larson wrote:
For all those reasons, I think a checksum in the zone file itself that can be verified with DNSSEC is the best option for this use case, and I like the ZONEMD solution.
Note that the checksum in this case must be at least as cryptographically strong as the signature algorithm used in the individual RRSIGs/DNSKEYs. This would have to be enforced by software/RFC to prevent a downgrade attack. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop