Joe Abley wrote:
On 2010-03-08, at 10:27, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- however, since the root zone is signed, validators can already tell when they
are talking to a root server that serves bogus information
How does that work without ROOT-SERVERS.NET being signed with a known trust
anchor?
Because validators are equipped with a trust anchor for the root zone's KSK.
An unsigned ROOT-SERVERS.NET might leave validators talking to a bogus root
server, but they won't believe any of the signed replies they get from it.
That is a narrow view of what a bogus root server may do. It may also
replicate every official root signatures (basically signed delegations)
and spoof unsigned delegations.
Your enemy may make a bogus signed TLD nameserver with the same strategy
so that unsigned delegations to SLD can also be spoofed.
If DNSSEC usage includes validation of A/AAAA, then signed A/AAAA for
nameservers at the root and TLD seem to provide some (arguably marginal
but not null) integrity assurance for unsigned domains.
That's just an observation on the above reasoning. A full pros and cons
analysis is obviously more encompassing.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
