> On Jul 26, 2018, at 7:39 PM, Steve Crocker <st...@shinkuro.com> wrote: > > The passage below puzzles me. Why do you want servers to get the root zone > from less trusted sources?
Steve, I wouldn't put it that way. I'd say that the servers shouldn't have to trust the sources, they should have the ability to trust the data itself. > And why does the source matter if the zone entries are DNSSEC-signed? Because many records in the (root) zone are not signed. For example none of this is signed: org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1 b2.org.afilias-nst.org. 172800 IN A 199.249.120.1 b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1 If you have an RFC7706 recursive name server you could be given a root zone with changed delegations for any TLD. If your recursive name server is validating (which it MUST be per 7706) then probably the worst that would happen is an attack on your privacy. The bad name servers can proxy DNS queries to the real ones and thus log your query traffic. If your name server is not validating then, of course, much worse is possible. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
