Hi Bob, On 6/28/22 16:20, Bob Harold wrote:
But the parent NS set is not covered by DNSSEC, and thus could be spoofed?? (Wish we could fix that!)
The parental agent (registry, registrar) has off-band definite knowledge of the delegation's NS records. As an example, the .edu operator knows what umich.edu's NS records are, because the registrant (the university) told them. Cheers, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop