On 11/16/14 11:12 PM, Evan Hunt wrote:
On Sun, Nov 16, 2014 at 03:12:58PM -0800, Doug Barton wrote:
Before commenting further I'd love the authors to flesh
out their reasoning for not simply slaving the zone where possible.
I'm not one of the authors, but I can give you an answer: in BIND,
and I believe in other DNS implementations as well, local authoritative
data isn't subject to DNSSEC validation.
(And yes, I'm aware that one of the primary motivators is DNSSEC, but the
only thing in the root that we care about are the DS records, and a
validating resolver is going to chase those up to its trust anchor
anyway.)
No. If the root zone is slaved locally in the same view as the
validator, then the server (correctly) sees the top level DS as
local authoritative data, and presumes it to be valid.
(I just tested BIND to confirm this. The log shows that org/DNSKEY,
isc.org/DS, and isc.org/DNSKEY were validated, but org/DS wasn't.)
That seems like something that should be fixable in BIND, yes? (And
thanks for doing that testing, btw)
Doug
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
