In article <20201010032517.gm89...@kduck.mit.edu> you write: >There's two general classes of attack to consider: when an external >attacker takes an existing ZONEMD and tries to modify the associated zone, >or when the zone provider is the malicious entity that wants to provide >different content to different people but give them the same digest value ... I think there's a third threat, a transcription error due to transmission error or other kinds of bitrot. I send zone files between my DNS servers over ssh, so the chances of an external attack are low, but particularly as zone files continue to grow, the protection of the TCP checksum is less effective. On my rather small DNS setup I have a 71MB zone and I don't think that's unusual. In many, probably most, cases a bit flip or two would produce DNS data that is still valid but wrong, e.g., change the address in AAAA or the characters in a name anywhere.
That's why there are situations where a zone digest can be useful even without a DNSSEC validation chain. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop