On 7/16/2010 7:42 AM, Niobos wrote: > On 2010-07-16 12:36, Alan Clegg wrote: >> .net isn't signed, and you don't sign "out-of-zone" data (glue and >> delegation NS records). > > But org. is signed, and gives the same result.
.org does not have a DS record in the root yet. This is an example of a broken chain of trust, not validatable, but not bogus. If you are using ISC's DLV, you should still be able to validate within .ORG (see http://www.isc.org/community/blog/201007/whats-happening-dlv for more information on what is happening to DLV now that the root is signed). > But anyway, it basically boils down to: > >> On 7/16/2010 6:25 AM, Niobos wrote: >>> It's probably just my lack of knowledge > > Trying to enhance that: Am I correct to state that it's not possible to > validate a delegation NS RRset? > You can only validate it indirectly by checking if the DS at the parent > matches the DNSKEY in the (presumed) child. And that the NS in the child is signed by the ZSK that is signed by the KSK that matches the DS in the parent. The parent is not allowed to sign the NS records (nor glue), as it does not truly 'own' the data -- only the child has that responsibility. > It appears that DNSSEC was designed to verify from the QNAME back up to > the root. I was trying to do it the other way around, hence my confusion. A leap of faith (trust anchor) provides a validatable zone which contains a DS record which validates a child DNSKEY which provides a validatable zone which ... but you start by doing a query for the QNAME for which you were interested in and then chasing backwards, so yes. I highly recommend http://dnsviz.net as a path to enlightenment. AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
