> On 9 Feb 2024, at 03:10, darkde...@darkdevil.dk wrote:
>
> Den 31-01-2024 kl. 20:47 skrev Bjørn Mork:
>> Why do they put their DNS servers in an unsigned zone?
>
> To try to make a more in-depth example:
>
> At the moment, .COM/.NET is relying on GTLD-SERVERS.NET for the authoritative
> DNS.
>
> GTLD-SERVERS.NET is currently relying on NSTLD.COM for the authoritative DNS.
>
> With this example, you are asking why neither GTLD-SERVERS.NET nor NSTLD.COM
> has been DNSSEC signed?
>
> In that case, I would probably be extending that a bit, considering a lot of
> critical resources out there (even if announced as IPv6 /48 and IPv4 /24)
> still do not have any RPKI ROA, at all.
>
> (But maybe that's just me...)
The NS records in a delegation are NOT SIGNED. The glue addresses in a referral
are NOT SIGNED.
Resolvers use those. They should get back signed answers from signed zones
which are verifiable.
If they get back unsigned answers for signed zones they will be rejected. It
they get back unsigned
answers from an unsigned zone then all bets are off. DNSSEC sign your zones if
you are worried
about that. There is potential for information leakage with this strategy, but
not wrong answers
being returned from signed zones. Signing the zones would help a little with
the information
leakage when the servers are not learnt by glue. It is impossible to prevent
all information
leakage even if all zones, delgations and glue was signed.
> --
> Med venlig hilsen / Kind regards,
> Arne Jensen
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
