> From: Mark Andrews <ma...@isc.org> > DNS is loosely coherent. DiS does not work when the sources of data are not > coherent.
Do you mean that the glue is not uniquely determined because the authoritative server merges multiple zone information or the data cached by the resolver part of the DNS server ? > From: Mark Andrews <ma...@isc.org> >> I have a question why we did not include signature validation function >> to delegation information ? > > Delegating NS records because the zone would become big and people didn’t > want to have TLD zones have signatures for each delegation. In case of TLDs with many signed (with DS) delegations, the increase of DiS RR is not a problem because DiS is a part of DS RRSet. > We could sign > delegating NS records as you can determine delegating vs top of zone by > looking at the signer field of the NS RRset. You would then have to deal > with the case where you have signed parent and unsigned child and a referral > to the grand child. Do you mean that digest calculation is difficult because RRSets with the same name come from servers in multiple layers and are mixed? > You would have to stop following the referral, verify > the child is unsigned, then restart following the referral. This is a lot > of work for very little benefit. many domains are 3 layered. root: signed (with signed referrals) TLD: signed (with signed referrals) example.com: unsigned (no referral) Then, example.com can't be validated, but at least it's nice to know that the referral from the TLD is correct? > Glue records would need a different signature type and would need to compute > the signature differently to prevent it being used in a replay attack when > the RRset differ. I would like to read such draft (idea). > I suppose you could use the same algorithm as it would > encourage people to keep data coherent. You would still have the parent, > child, grandchild issues from above. If they don't share authoritative servers, referrals (NS RRSet and glue) are uniquely determined. >> And the idea may offer the signature for root priming data. > > It can’t. There is no requirement for addresses records for nameservers > for a zone to exist in the zone, as glue or not, even if the nameservers > are below top of zone. Glue is only required for delegations. Yes. I agree. It's another discussion. -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop