On Tue, 11 Nov 2025, Steve Crocker wrote:
As more and more resolvers switch to using local copies of the root zone, there may be a need to strengthen the process of providing those copies to a very large set of resolvers. That's the part that is not yet scoped and may need design and implementation.
Like RFC 8976 Message Digest for DNS Zones by the root zone operator(s) ?
The primary purpose of such a design is to prevent improper forceful removal of legitimate entries from the root zone. This is stronger than detecting the problem after the fact.
data can always be removed. If I run a legitimate instance of A root, I can still withhold data for the nl. TLD. How would you prevent removal of RRsets by a malicious party? If the attacker can prevent you from downloading the root zone from the zillions of places where it is available, there is nothing that can help you. Paul _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
