This is a discussion on Re: "orphaned" RRsets & DNSSEC - DNS ; # DNSSEC is a fine and useful BOS ... but there is this little nagging # problem that is bugging me. One of the lemas is that zones are signed, # which leaves the small problem of validating glue. others ...
# DNSSEC is a fine and useful BOS ... but there is this little nagging
# problem that is bugging me. One of the lemas is that zones are signed,
# which leaves the small problem of validating glue. others have argued that
# the proper response is to insist on all glue be removed by excising all the
# "out of baliwick" data - forcing servers to being the zone. nice idea, but
# will take a -LONG- time to gain operational traction. So in the mean time,
# we have signed zones w/ "orphaned" RRsets.
dnssec only signs authority data. glue is (by definition) not authority data.
the way glue is protected is that if you follow a delegation using supplied
glue and the server you reach isn't signing its data with the key the parent's
DS gave you, you know that the glue is evil and you can discard it, signal an
error, try the next glue, refetch the glue from the apparent real nameservers
for the enclosing zones of the glue, or treat the zone as "in failure",
according to (drum roll, please) "local policy".
this leads directly to the problem masataka pointed out ten years ago, where
if all of FOO.NET's nameservers are under FOO.COM, and vice versa, there's a
reasonable chance of both zones becoming unreachable. DNSSEC does not create
that problem, it's inherited from DNS. DNSSEC doesn't even make it any worse.
# Is there any reason why we can't validate the NS records, perhaps
# using the same general techniques as would be used for incremental signing?
yes. because we have to stop adding requirements some day. let's start now?
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.