Paul Wouters wrote: > On Sun, 6 Sep 2009, Leen Besselink wrote: > >> I'm not a protocol expert, but why would you not trust the toplevel >> nameserver if DNSSEC isn't enabled ? > > The records are "hints". They are published not by the zone owners, > but by there parents. This is required to void a recursion loop. > If you need ns1.example.com. to find ns1.example.com. someone else > will have to tell you. This is what glue records are for. >
I know this part. > Since these are "out of zone" records, they are considered hints. > It's common sense to verify the information at the proper source. > The problem I see with that is, the proper source is just as trustworthy as the parent. Which is: not much, if any, atleast without something like DNSSEC to verify something. If we'd be talking about a CNAME that would something else, when we were talking about "out of zone" records. But the parent-zone ? If we can't trust the parent-zone a little, we can't trust the child, because the parent-zone pointed us to it. > It's like verifying gossip :) > > Paul > Not that I want to argue with a DNS-expert, but I'm just surprised at the answer. Ooh, darn I think I know now, it's because it's a different domain, isn't it ? titan.net or it's parents, other then the root are in no way related to nmap.org. I wonder if Bert considers it a bug in 3.1.7 ? _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
