[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)

Phil Regnauld regnauld at nsrc.org
Tue Apr 20 14:07:35 UTC 2010


Andrew Sullivan (ajs) writes:
> 
> Sorry, I guess I wasn't clear enough.  The question was whether the
> short TTL causes operational effects.  The answer was no, but maybe as
> there were more zones signed under .org there would be because the
> .org key would need to be fetched more often.

	Yes, agreed.

> Certainly, that key will need to be fetched more often than otherwise if
> many child zones are signed and validators do bottom-up validation.

	BIND does top down validation, right ?

	Do you have any example of validators doing bottom-up ?  If I understand
	correctly, bottom-up implies walking the delegations until we find a
	server offering the DNSKEY for the target name, then validating that
	using the parent domain's signature on the DS of the child, until
	we have validated the TLD's DS with the root ZSK, correct ?

	Is there some inherent advantage to doing bottom-up validation ?
	I can understand why one would want to do top-down: at first thought,
	there is less back-and-forth that needs to be done, as one can pick up
	(NS, DS+RRSIG), and (NS+RRSIG, DNSKEY+RRSIG) -- if querying ANY with DO,
	that is.  Otherwise, I guess it's the same amount of work ?  Maybe less
	state to keep in one mode vs the other.

> If just about every validator ends up going top-down, then there will be no effect
> (as Mark suggested), because validation will just stop at org for
> unsigned zones (but in any case, the key will have to be fetched after
> the TTL).

	Absolutely.

	Phil



More information about the dns-operations mailing list