On 2026-03-05 18:34 +01, Philip Homburg <[email protected]> wrote: >> I appreciate that DNSSEC is there to save us from such problems, >> but software has bugs and humans make mistakes and our goal ought >> to be to protect the namespace expecting that those things are >> true, not trying to legislate that they must be false. We have >> certainly seen fixes to DNSSEC validation failures of the form >> "turn off validation". Hope is not a strategy. > > The advantage of DNSSEC is that a cached copy of the root zone will fail to > validate in a few weeks. > > So I wonder if we should say something to the effect: > A resolver MUST discard, ignore, or otherwise not use a local copy of the > root zone if the DNSSEC validation status of the ZONEMD RRset in the zone > is bogus, insecure, or indeterminate (i.e., anything other than secure). > This does not mean that the resolver has to be a DNSSEC validating resolver, > just that it has to validate this one RRset to be able to use a local > root.
Oooh, new requirement: the LocalRoot server MUST have an accurate clock. This is not an entirely trivial requirement on unmanaged systems, e.g. my oven is right out, and who knows what my CPE is up to... -- In my defence, I have been left unsupervised. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
