[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)
Ed.Lewis at neustar.biz
Tue Apr 20 14:41:50 UTC 2010
At 16:07 +0200 4/20/10, Phil Regnauld wrote:
> Is there some inherent advantage to doing bottom-up validation ?
Yes, yes, there is. I shudder to think that anyone would assume the
opposite. Validation was designed to be from the received data up to
a trust anchor.
(Side note - When I wrote a validator in '98 it had two "phases" -
optimistic/opportunistic and then pessimistic/pendantic. Once a query
was satisfied, the validator would assume all the data came in good
and then optimistically verify back to a trust anchor. If there was a
failure, then the iterator would start again contacting only
authoritative sources and validate each step down the tree. The
former was cheaper to do and more likely the case - as attacks are
rare - hence it was done first. I only become paranoid as a last
When you look at a terminal answer to a question (meaning, a match
for QNAME, QCLASS, and QTYPE), you will also have an RRSIG. In the
RRSIG is the name of the key that signed it. From that you validate
the key by finding the key that signed it, and so on, until you reach
a key you just trust. There may be multiple signatures, hence
multiple keys, hence multiple chains to try.
You have to decide whether a key is authorized to sign. Today we
assume the authorized key is only one of the zone's keys, but that
wasn't in the original design.
Bottom up reinforces that DNSSEC is about protecting the consumer,
and that "local policy" is the trump card. The consumer can decide
at what point they trust the chain and can decide whom they trust to
sign data. Even today it is not "illegal" to rely on a third party -
it's just not the common path.
Had this all been top down, we'd have all sorts of other issues -
like hardening down the tree when by its nature it's very loose.
(Loose is good for scaling.)
There's also another aspect of this. The job of the DNS is to get
you an answer. Depth first like. BIND chooses to fill in the whole
tree of data (NS and addresses) to get to an answer, but it even does
that in parallel to the lookup driving the filling. Job 1 - get the
answer. Job 2 - make sure it's good. Remember that the delegation
NS and glue are hints - and that is why - we are running to the
answer first, asking questions later.
NeuStar You can leave a voice message at +1-571-434-5468
Wouldn't it be nice if all of the definitions of equivalence were the same?
More information about the dns-operations