>> This is a question of attack model. If we say that this attack model is >> unrealistic, then we should document that somewhere. And explcitly say >> that those types of attacks will not be considered by the wg. > >If a name wants poisoning protection, they should sign it.
Parent-side NS records are never signed. But I think we should not make such statements only on the mailing list. Unbound contains a significant amount of processing to try to protect unsigned zones. If we have consensus that unsigned zones are not worth protection then we need to be public about that. It is possible that quite a few stateholders that use the internet would become quite upset if we were publish a statement like that. So maybe until we find consensus about a statement that unsigned zones are not worth protection, we continue to act as if they do. Finally, there is also the issue of privacy. Because parent-side NS records are never signed, an attacker that can subvert the priming query for the root zone can inspect all of a parent-centric resolver's traffic. I think that is not in line with the IETF's stance on privacy. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
