> On 09-Feb-2024, at 02:03, ma...@isc.org wrote: > > > >> On 9 Feb 2024, at 03:10, darkde...@darkdevil.dk wrote: >> >>> Den 31-01-2024 kl. 20:47 skrev Bjørn Mork: >>> Why do they put their DNS servers in an unsigned zone? >> >> To try to make a more in-depth example: >> >> At the moment, .COM/.NET is relying on GTLD-SERVERS.NET for the >> authoritative DNS. >> >> GTLD-SERVERS.NET is currently relying on NSTLD.COM for the authoritative DNS. >> >> With this example, you are asking why neither GTLD-SERVERS.NET nor NSTLD.COM >> has been DNSSEC signed? >> >> In that case, I would probably be extending that a bit, considering a lot of >> critical resources out there (even if announced as IPv6 /48 and IPv4 /24) >> still do not have any RPKI ROA, at all. >> >> (But maybe that's just me...) > > The NS records in a delegation are NOT SIGNED. The glue addresses in a > referral are NOT SIGNED. For taking care of referrals and delegations, ietf has started preliminary work. More info here -
https://mailarchive.ietf.org/arch/msg/dd/srNtevzS-jrPzMxYv1nATCY5JkM/ > Resolvers use those. They should get back signed answers from signed zones > which are verifiable. > If they get back unsigned answers for signed zones they will be rejected. It > they get back unsigned > answers from an unsigned zone then all bets are off. DNSSEC sign your zones > if you are worried > about that. There is potential for information leakage with this strategy, > but not wrong answers > being returned from signed zones. Signing the zones would help a little with > the information > leakage when the servers are not learnt by glue. It is impossible to prevent > all information > leakage even if all zones, delgations and glue was signed. > > >> -- >> Med venlig hilsen / Kind regards, >> Arne Jensen >> > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
