Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

Matt Larson <> Tue, 31 July 2018 13:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 044B5130DE2 for <>; Tue, 31 Jul 2018 06:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.652
X-Spam-Status: No, score=0.652 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.652] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ZRZORZCfBbf for <>; Tue, 31 Jul 2018 06:53:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CE493130DF4 for <>; Tue, 31 Jul 2018 06:53:06 -0700 (PDT)
Received: from (localhost []) by (SMTP Server) with ESMTP id E4A3340256; Tue, 31 Jul 2018 09:53:05 -0400 (EDT)
Received: by (Authenticated sender: with ESMTPSA id 82D2740213; Tue, 31 Jul 2018 09:53:05 -0400 (EDT)
Received: from [] ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.7.12); Tue, 31 Jul 2018 09:53:05 -0400
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Matt Larson <>
In-Reply-To: <>
Date: Tue, 31 Jul 2018 09:53:04 -0400
X-Mao-Original-Outgoing-Id: 554737984.554055-4dba1dff379466a23501eaf8b741cb66
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Philip Homburg <>, dnsop <>, Wes Hardaker <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jul 2018 13:53:08 -0000

> On Jul 31, 2018, at 5:44 AM, Philip Homburg <> wrote:
> I wonder if there still is a use case for distributing the root zone. With
> QNAME minimization and NXDOMAIN based on NSEC records, the major use cases
> seem to be gone. Compared to other zones, the root is massively over
> provisioned. So if (from an availability point of view) there is need to have
> a local copy of the root, then you would need a local copy of .com as well.

A local copy of the root zone improves availability in and of itself because of its importance as the starting point of all resolution. While the root zone is indeed massively over provisioned, the bad guys will always be able to send more traffic: that's an un-winnable arms race. And over provisioning doesn't help me if reachability is poor from my particular vantage point. Availability will therefore always be a concern.

Sure, a local copy of .com would (further) improve availability, but that's entirely impractical given the zone's size and rate of change. We're fortunate that the critically important root zone is small enough and changes infrequently enough that having a local copy is a realistic option.

I don't think we should assume only (or even primarily) AXFR for root zone distribution on a massive scale. Building a scalable infrastructure for that is a significant expense that I don't think is necessary (for the root operators or anyone else) when distributing 2MB files is a problem that's been solved other ways many times over. Why not distribute the root zone via, for example, multiple CDNs?

To verify the integrity of the downloaded zone one could validate all the RRSIGs, but that opens up the DOS and privacy attacks that have been described elsewhere in this discussion. And even if we issue admonitions to not have a local copy of the root zone without also enabling DNSSEC validation, we know that realistically there will be those who do the former without the latter.

For all those reasons, I think a checksum in the zone file itself that can be verified with DNSSEC is the best option for this use case, and I like the ZONEMD solution.