This is a discussion on Re: "orphaned" RRsets & DNSSEC - DNS ; On Mon, Nov 21, 2005 at 07:05:58PM +0000, Paul Vixie wrote: > # DNSSEC is a fine and useful BOS ... but there is this little nagging > # problem that is bugging me. One of the lemas is that ...
On Mon, Nov 21, 2005 at 07:05:58PM +0000, Paul Vixie wrote:
> # DNSSEC is a fine and useful BOS ... but there is this little nagging
> # problem that is bugging me. One of the lemas is that zones are signed,
> # which leaves the small problem of validating glue. others have argued that
> # the proper response is to insist on all glue be removed by excising all the
> # "out of baliwick" data - forcing servers to being the zone. nice idea, but
> # will take a -LONG- time to gain operational traction. So in the mean time,
> # we have signed zones w/ "orphaned" RRsets.
> dnssec only signs authority data. glue is (by definition) not authority data.
not authority data for the zone in question. it is authority
data for some part of the heirarchy tho...
> the way glue is protected is that if you follow a delegation using supplied
> glue and the server you reach isn't signing its data with the key the parent's
> DS gave you, you know that the glue is evil and you can discard it, signal an
> error, try the next glue, refetch the glue from the apparent real nameservers
> for the enclosing zones of the glue, or treat the zone as "in failure",
> according to (drum roll, please) "local policy".
yes, yes... the presumption of fully signed heirarchy and/or locally
maintained TA's... Is that -ALL- there is for choice?
> this leads directly to the problem masataka pointed out ten years ago, where
> if all of FOO.NET's nameservers are under FOO.COM, and vice versa, there's a
> reasonable chance of both zones becoming unreachable. DNSSEC does not create
> that problem, it's inherited from DNS. DNSSEC doesn't even make it any worse.
well, DNSSEC doesn't make it better. and in the presence of actual
application validation attempts, it couldbe much worse.
> # Is there any reason why we can't validate the NS records, perhaps
> # using the same general techniques as would be used for incremental signing?
> yes. because we have to stop adding requirements some day. let's start now?
er... because we have to stop is not, IMHO, a credible reason.
or are you sugestting that this is such a fundamental change, that
we would have to scrap what has been done to add/integrate this
spiffy chromed hood ornement to the DNSSEC funny car?
or, are you concerned that DNSSEC will never gain adoption as long
as there are suggested changed, modifications, additions, tweeks,
etc. being proposed? Kind of like the DNS will never gain adoption
until people stop trying to add, change, modify or tweek it?
> to unsubscribe send a message to firstname.lastname@example.org with
> the word 'unsubscribe' in a single line as the message text body.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.