Thanks a lot George for your comments. About this suggestion: On 14:29 27/04, George Michaelson wrote: > It's a debug tool. It isn't going to be something I expect to use, but > I like the idea if something goes awry in the responses I am seeing I > can ask the authority to tell me what SOA serial I should expect to > see, that has the response state they're giving me for the specific > query. Thats distinct from ZONEMD which is a DNSSEC signed state of an > entire zone (assuming it can be done) which is a different class of > check on zone state related to serial. I like both. They're different. > That said, you COULD point to ZONEMD in this one in the security > considerations, but I wouldnt make it normative. It's just another way > to check the state of a zone. >
You're right that we can better state the differences with ZONEMD. What do you think of adding a paragraph like this in the security considerations? "Please note that ZONEVERSION option can not be used for checking the correctness of an entire zone in a server. For such cases, the ZONEMD record [RFC8976] might be better suited at such task. ZONEVERSION can help identify and correlate a certain specific answer with a version of a zone, but it has no special integrity or verification function besides a normal field value inside a zone, as stated above." Thanks, Hugo
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop