The point was to allow redistribution and to not depend on a trusted source
Sent from my phone > On Aug 9, 2018, at 20:21, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > >> On Thu, Aug 09, 2018 at 02:19:08PM +0000, Edward Lewis wrote: >> >> FWIW, this message was spurred by this comic strip [yes, today as I write]: >> http://dilbert.com/strip/2018-08-09. > > Cute. > >> "Will the time taken to generate and verify this record add to the security >> of a zone transfer?" > > Perhaps a sensible way to secure zone transfer is at the transport > layer. Presumably DNS over TLS is comaptible with AXFR. If desired > authentication can be via DANE. Just publish a TLSA RRset: > > example.net. IN SOA nsa.example.net. hostmaster.example.net. ... > example.net. IN NS nsa.example.net. > nsa.example.net. IN A 192.0.2.1 > _853._tcp.nsa.example.net. IN TLSA 3 1 1 > fbefbd9e5b54696792bab92cf329669edaca16d0b09dcfdd16fe3e1bd8ab08e9 > > and do the AXFR transfer over TLS. This does not require pre-computation > of a zone checksum. Just obtain the zone transfer from a suitably > trusted source. > > -- > Viktor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
