[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)
marka at isc.org
Tue Apr 20 23:06:09 UTC 2010
In message <20100420140734.GR99077 at macbook.catpipe.net>, Phil Regnauld writes:
> Andrew Sullivan (ajs) writes:
> > Sorry, I guess I wasn't clear enough. The question was whether the
> > short TTL causes operational effects. The answer was no, but maybe as
> > there were more zones signed under .org there would be because the
> > .org key would need to be fetched more often.
> Yes, agreed.
> > Certainly, that key will need to be fetched more often than otherwise if
> > many child zones are signed and validators do bottom-up validation.
> BIND does top down validation, right ?
Yes and no. It starts out bottom up, it follows the signer fields
of the RRSIG records using a stack. To prove insecure it works top
down from the closest trust anchor/dlv record looking for a no-DS at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations