"Message Digest for DNS Zones" is a new Internet Draft describing a protocol and DNS Resource Record used to provide a message digest over DNS zone data. Although DNSSEC signs individual RRsets that can be validated, it is not sufficient in general because zones may also contain unsigned data (delegations and glue). This protocol can verify all data in a zone file.
In this presentation I will explain the motivation for this feature, and describe the algorithm for computing a digest over zone data. I will furthermore discuss some proposals and tradeoffs for supporting incremental zone updates with zone digests. Using an implementation of zone digests I will provide benchmarks for the time required to digest and verify zones of different sizes, with and without incremental updates.
|Talk Duration||30 Minutes|