Yes, that's pretty succinct and clear. G
On Sat, 29 Apr 2023, 04:26 Hugo Salgado, <hsalg...@nic.cl> wrote: > Thanks a lot George for your comments. > About this suggestion: > > On 14:29 27/04, George Michaelson wrote: > > It's a debug tool. It isn't going to be something I expect to use, but > > I like the idea if something goes awry in the responses I am seeing I > > can ask the authority to tell me what SOA serial I should expect to > > see, that has the response state they're giving me for the specific > > query. Thats distinct from ZONEMD which is a DNSSEC signed state of an > > entire zone (assuming it can be done) which is a different class of > > check on zone state related to serial. I like both. They're different. > > That said, you COULD point to ZONEMD in this one in the security > > considerations, but I wouldnt make it normative. It's just another way > > to check the state of a zone. > > > > You're right that we can better state the differences with ZONEMD. > What do you think of adding a paragraph like this in the security > considerations? > > "Please note that ZONEVERSION option can not be used for checking > the correctness of an entire zone in a server. For such cases, the > ZONEMD record [RFC8976] might be better suited at such task. > ZONEVERSION can help identify and correlate a certain specific > answer with a version of a zone, but it has no special integrity or > verification function besides a normal field value inside a zone, as > stated above." > > Thanks, > > Hugo > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop