Sent from my iPhone
> On Aug 20, 2018, at 10:57 AM, Paul Wouters <p...@nohats.ca> wrote: > >> On Mon, 20 Aug 2018, Shumon Huque wrote: >> >> On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters <p...@nohats.ca> wrote: >> >> When using DNSSEC, the resolver should follow the glue and then perform >> a query at the child zone to confirm the glue data. In unbound.conf >> terms this is called harden-glue: yes >> I had not thought of this, thanks for mentioning it. So if I transfer a >> copy of the root (or other zone), I can verify the signed parts with DNSSEC, >> and >> the glue by resolving them and verifying from the child zone. Does that >> leave any unverified records (are glue the only unsigned records)? >> Note that the child might have different records than the parent glue, so my >> copy of the zone might end up different in that regard - is that ok? >> This scheme won't work because in the general case glue records for signed >> zones may live in unsigned zones and thus may not be validatable at all. See >> glue >> for .COM, .NET, .ORG etc for prominent examples. > > Those zones would have a signed ZONEMD but no DS record leading to a > validated path anyway, so those are lost without an external (from > DNSSEC) PKI which falls very far outside the scope of ZONEMD. > > Paul What Shumon was referring to is the actual TLD zones themselves. For example, the NS sets for COM have nameserver names under gtld-servers.net, which is an unsigned zone. The A/AAAA records, needed for finding the COM servers aren’t signed, even if attempting to find the AA answer. What ZONEMD would provide is a method of validation of the non-authoritative A/AAAA (glue) for the TLD itself. While not as strong as using NS names in a signed zone, it is still a method of preventing poisoning of those glue records (A/AAAA specifically). NB: root-servers.net is unsigned. Brian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop