Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

[Philip Homburg <pch-dnsop-3@u-1.phicoh.com>]

> > The draft states in the Motivation section:
> >
> >     "The motivation and design of this protocol enhancement is tied to the 
> DNS root zone [InterNIC]."
> 
> That may be a motivation, but as a prospective user I want to use
> it for much more.  My LocalRoot server is already going to be
> serving 3 zones, and I have plans for many more.  It would be
> helpful to know that on the distribution side of things that I had
> indeed grabbed an authentic source before sending it off to all
> the resolvers that want to pre-cache a random zone X.
> 
> Be careful that we don't collectively interpret the sentence you
> quote as meaning 'this is only useful for the root zone' just
> because that was the original motivation.

I think there is a big difference between distributing the root zone and
distributing a few 'local' zones.

In the first case you need something that is massively scalable.

In the second case, just create a tar file with a zone file and a hash, put
it up on a web server and the problem is solved. Verifying the contents of a
file is not exactly a new problem. 

I wonder if there still is a use case for distributing the root zone. With
QNAME minimization and NXDOMAIN based on NSEC records, the major use cases
seem to be gone. Compared to other zones, the root is massively over
provisioned. So if (from an availability point of view) there is need to have
a local copy of the root, then you would need a local copy of .com as well.

Though I'm sure that are people who want to reinvent DNSSEC.

One final remark, maybe it is worth investigating a 'NSDEL' record type,
and possibly 'ADEL' and 'AAAADEL'. Which are the equivalents of NS, A, AAAA
for delegations/glue. With separate record types, we can define that they are
covered by a RRSIG. Solving issues with data not being signed.