Op 17-03-2025 om 13:45 schreef Ralf Weber:
Yes, local root in combination with ZONEMD provides equal protection where it counts most (as mentioned in the draft), but NS revalidation is more generic, and doesn't require more that just DNS queries. It is easy to just comment out `harden-referral-path: yes` in unbound.conf (as Redhat Enterprise Linux has done for example).Moin!On 17 Mar 2025, at 17:53, Shumon Huque wrote:I couldn't remember exactly what text we put in. Looks like section 8.3 (Other Considerations) 2nd paragraph acknowledges the existence of parent centric implementations, but yes, that is not the same as saying optionally not doing it. I think this text was put in after consultation with Ralf Weber.Correct and this is the only section of the draft that the Akamai resolvers comply with in this draft. The draft also mentions ZONEMD and local root, which supply a better protection for root and the TLD level (as almost all TLDs are signed currently) then trying to do what this draft proposes.
>From an implementation perspective I stand by my argument that the increased complexity in resolver operations caused by this draft does not outweigh the perceived benefit of it. With perceived benefit I mean is that DNSSEC is supposed to detect data forgery and for that it does not matter if I get the correct data from the wrong server, or to paraphrase Geoff Houston you can pick up your DNSSEC answer from the street and still validate it.
But many zones are still not DNSSEC signed. Making sure that responses are answered by the correct authoritative name servers (NS revalidation), protects the unsigned zones and the non-validating resolvers as well, and as such improves the security of the internet as a whole. The more resolvers do this, the better.
It looks like other implementers (Knot) came to the same conclusion.
Well, maybe not intentional, but Knot resolver does revalidate the priming query. They practice NS revalidation where it counts the most of all right now and have been doing so since 2017.
-- Willem
So long -Ralf ——- Ralf Weber _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
