On Jul 5, 2018, at 19:38, George Michaelson <g...@algebras.org> wrote:
> Only the zone authority can publish a DNSSEC signed zone. I don't know what this means exactly, but I think it's wrong. I will illustrate my thinking by using some of these words (like "publish") in the way that I understand them, to see if that helps. So I am not arguing; I'm describing different usage. Any nameserver can publish any zone they want. There is no claim, there is only do. DNSSEC RRSets are not special in this regard. They are just RRSets. A client might send a query to a particular server because it was sent that way by referrals or by local configuration. Clients might not send queries to a server at all. The server can still be said to publish a zone. Only someone able to exercise the private key that corresponds to a published trust anchor can generate signatures that anybody can validate. Signing RRSets is a different function from publishing a zone. Multiple copies of a private key might be exercised by multiple different actors who can each produce different signed zones with the same alex owner name, which clients can successfully validate using the same trust anchor. You could argue that such a key is not very private, and I might agree. (See also the multiple-ZSK experiments conducted in the Yeti project for other examples.) Root server operators publish the signed root zone. They are not able to exercise private keys used by PTI and Verisign to generate the various RRSIGs in the root zone. That is ok. Many TLD operators generate signed zones that are published on nameservers operated by third parties (e.g. as commercial DNS operators, for fee). Those third party operators publish the zones, but don't have access to the private key. That is ok. > Anyone can claim to publish a view of a non-DNSSEC signed zone. I don't know what "publish a view" means. A "view" is BIND8/9 terminology that describes which zone data to publish to particular sets of clients. The things being published are the zone data, not the views. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
