Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

Philip Homburg <> Tue, 31 July 2018 09:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BFA8A130E08 for <>; Tue, 31 Jul 2018 02:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZJ0XiNn3krha for <>; Tue, 31 Jul 2018 02:44:50 -0700 (PDT)
Received: from ( [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 52604130E04 for <>; Tue, 31 Jul 2018 02:44:50 -0700 (PDT)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fkRCk-0000GTC; Tue, 31 Jul 2018 11:44:34 +0200
Message-Id: <>
Cc: Wes Hardaker <>
From: Philip Homburg <>
References: <> <>
In-reply-to: Your message of "Mon, 30 Jul 2018 16:58:29 -0700 ." <>
Date: Tue, 31 Jul 2018 11:44:24 +0200
Archived-At: <>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jul 2018 09:44:53 -0000

> > The draft states in the Motivation section:
> >
> >     "The motivation and design of this protocol enhancement is tied to the 
> DNS root zone [InterNIC]."
> That may be a motivation, but as a prospective user I want to use
> it for much more.  My LocalRoot server is already going to be
> serving 3 zones, and I have plans for many more.  It would be
> helpful to know that on the distribution side of things that I had
> indeed grabbed an authentic source before sending it off to all
> the resolvers that want to pre-cache a random zone X.
> Be careful that we don't collectively interpret the sentence you
> quote as meaning 'this is only useful for the root zone' just
> because that was the original motivation.

I think there is a big difference between distributing the root zone and
distributing a few 'local' zones.

In the first case you need something that is massively scalable.

In the second case, just create a tar file with a zone file and a hash, put
it up on a web server and the problem is solved. Verifying the contents of a
file is not exactly a new problem. 

I wonder if there still is a use case for distributing the root zone. With
QNAME minimization and NXDOMAIN based on NSEC records, the major use cases
seem to be gone. Compared to other zones, the root is massively over
provisioned. So if (from an availability point of view) there is need to have
a local copy of the root, then you would need a local copy of .com as well.

Though I'm sure that are people who want to reinvent DNSSEC.

One final remark, maybe it is worth investigating a 'NSDEL' record type,
and possibly 'ADEL' and 'AAAADEL'. Which are the equivalents of NS, A, AAAA
for delegations/glue. With separate record types, we can define that they are
covered by a RRSIG. Solving issues with data not being signed.