[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)

Edward Lewis Ed.Lewis at neustar.biz
Tue Apr 20 14:41:50 UTC 2010

At 16:07 +0200 4/20/10, Phil Regnauld wrote:

>	Is there some inherent advantage to doing bottom-up validation ?

Yes, yes, there is.  I shudder to think that anyone would assume the 
opposite.  Validation was designed to be from the received data up to 
a trust anchor.

(Side note - When I wrote a validator in '98 it had two "phases" - 
optimistic/opportunistic and then pessimistic/pendantic. Once a query 
was satisfied, the validator would assume all the data came in good 
and then optimistically verify back to a trust anchor. If there was a 
failure, then the iterator would start again contacting only 
authoritative sources and validate each step down the tree.  The 
former was cheaper to do and more likely the case - as attacks are 
rare - hence it was done first.  I only become paranoid as a last 

When you look at a terminal answer to a question (meaning, a match 
for QNAME, QCLASS, and QTYPE), you will also have an RRSIG.  In the 
RRSIG is the name of the key that signed it.  From that you validate 
the key by finding the key that signed it, and so on, until you reach 
a key you just trust.  There may be multiple signatures, hence 
multiple keys, hence multiple chains to try.

You have to decide whether a key is authorized to sign.  Today we 
assume the authorized key is only one of the zone's keys, but that 
wasn't in the original design.

Bottom up reinforces that DNSSEC is about protecting the consumer, 
and that "local policy" is the trump card.  The consumer can decide 
at what point they trust the chain and can decide whom they trust to 
sign data.  Even today it is not "illegal" to rely on a third party - 
it's just not the common path.

Had this all been top down, we'd have all sorts of other issues - 
like hardening down the tree when by its nature it's very loose. 
(Loose is good for scaling.)

There's also another aspect of this.  The job of the DNS is to get 
you an answer.  Depth first like.  BIND chooses to fill in the whole 
tree of data (NS and addresses) to get to an answer, but it even does 
that in parallel to the lookup driving the filling.  Job 1 - get the 
answer.  Job 2 - make sure it's good.  Remember that the delegation 
NS and glue are hints - and that is why - we are running to the 
answer first, asking questions later.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Wouldn't it be nice if all of the definitions of equivalence were the same?

More information about the dns-operations mailing list