On Mon, Aug 20, 2018 at 9:53 AM Bob Harold <rharo...@umich.edu> wrote:
> > On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters <p...@nohats.ca> wrote: > >> >> When using DNSSEC, the resolver should follow the glue and then perform >> a query at the child zone to confirm the glue data. In unbound.conf >> terms this is called harden-glue: yes >> > > I had not thought of this, thanks for mentioning it. So if I transfer a > copy of the root (or other zone), I can verify the signed parts with > DNSSEC, and the glue by resolving them and verifying from the child zone. > Does that leave any unverified records (are glue the only unsigned records)? > Note that the child might have different records than the parent glue, so > my copy of the zone might end up different in that regard - is that ok? > This scheme won't work because in the general case glue records for signed zones may live in unsigned zones and thus may not be validatable at all. See glue for .COM, .NET, .ORG etc for prominent examples. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
