Paul Wouters <p...@nohats.ca> writes: > That leaves glue and NS, but there is a reason those aren't signed, > and any attacker shouldn't get anything out of that by modifying it.
Yes, the glue isn't authoritative and thus not signed by DNSSEC. But, if you're transferring a zone from an original source to any secondary server that is redistributing the contents, then modification by an attacker can certainly do damage (though with fully deployed DNSSEC, it may be only a DOS; though without fully deployed it's much worse, and we're a long way from fully deployed on both ends). The question of need comes down to: regardless of how it's done, do we need a global zone data signature across the entire set of distributed data that survives multiple distribution hops. From the perspective of wanting to distribute data across a multitude of mechanisms (including DNS but all git, bittorrent, http, and Warren's dirty napkin), then there is value to having a verifiable checksum. That's why software packages are distributed in the same way: verify that what you got is authentic before using it. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop