[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)

[Mark Andrews]

In message <20100420140734.GR99077 at macbook.catpipe.net>, Phil Regnauld writes:
> Andrew Sullivan (ajs) writes:
> > 
> > Sorry, I guess I wasn't clear enough.  The question was whether the
> > short TTL causes operational effects.  The answer was no, but maybe as
> > there were more zones signed under .org there would be because the
> > .org key would need to be fetched more often.
> 
> 	Yes, agreed.
> 
> > Certainly, that key will need to be fetched more often than otherwise if
> > many child zones are signed and validators do bottom-up validation.
> 
> 	BIND does top down validation, right ?

Yes and no.  It starts out bottom up, it follows the signer fields
of the RRSIG records using a stack.  To prove insecure it works top
down from the closest trust anchor/dlv record looking for a no-DS at
a delegation.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org