On Mon, Oct 22, 2018 at 7:32 AM <internet-dra...@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Message Digest for DNS Zones > Authors : Duane Wessels > Piet Barber > Matt Weinberg > Warren Kumari > Wes Hardaker > Filename : draft-wessels-dns-zone-digest-04.txt > Pages : 26 > Date : 2018-10-22 > > Abstract: > This document describes an experimental protocol and new DNS Resource > Record that can be used to provide an message digest over DNS zone > data. The ZONEMD Resource Record conveys the message digest data in > the zone itself. When a zone publisher includes an ZONEMD record, > recipients can verify the zone contents for accuracy and > completeness. This provides assurance that received zone data > matches published data, regardless of how the zone data has been > transmitted and received. > > ZONEMD is not designed to replace DNSSEC. Whereas DNSSEC is designed > to protect recursive name servers and their caches, ZONEMD protects > applications that consume zone files, whether they be authoritative > name servers, recursive name servers, or uses of zone file data. > > As specified at this time, ZONEMD is not designed for use in large, > dynamic zones due to the time and resources required for digest > calculation. The ZONEMD record described in this document includes > fields reserved for future work to support large, dynamic zones. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-wessels-dns-zone-digest/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-wessels-dns-zone-digest-04 > https://datatracker.ietf.org/doc/html/draft-wessels-dns-zone-digest-04 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-wessels-dns-zone-digest-04
Just my opinions: Keep the Reserved field Include occluded data - it is part of the zone, even if never served. (Similar to glue data when a server has both a parent and child zone.) If you might have multiple zonemd records not at the apex later, why not allow them now? Otherwise, your choice whether to restrict them. (Someone will find a use for them, like verifying glue records. Everyone else can ignore them.) -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
