> Tony Finch <mailto:d...@dotat.at> > Wednesday, November 12, 2014 2:05 AM > > Right, but DNSSEC usually assumes that the zone transfers themselves are > authenticated, so they can't be corrupted in transit.
no. > This is not the case for local root zones. it's not the case, period. the root zone happens to be transferred using TSIG keys between the verisign distribution servers and the root publication servers. but for most dnssec-secured zones there is no TSIG. data tampering is handled downstream, when queries are received from the possibly-tampered zone. > > With normal DNSSEC validation, resolvers have a way to recover from data > corruption. With this local root zone proposal they do not. i seem to have missed a step. why? an RDNS which has been programmed to forward root queries to a stealth name server running on the loopback, and is set up with rfc 5011 key roll, and DNSSEC validation. in BIND9, unsecured data as well as wrongly signed data received at this RDNS from the loopback-stealth server will be rejected. so, axfr-level tampering will be ineffective, other than creating a denial-of-service problem for that RDNS. i see no difference in recovery between the status quo vs. the kumari/hoffman proposal, except that in BIND9 we'd probably want the "forward first" logic. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
