[dns-operations] DNSSEC in the root, please help me understand

Roy Arends roy at dnss.ec
Fri Jan 15 20:35:30 UTC 2010

On Jan 15, 2010, at 3:38 AM, Marco Davids wrote:

> Hello everyone,
> Can someone please enlighten me a little bit on the following:
> * root will be signed any time soon.
> How usefull is that, if the zones 'net.', 'gtld-servers.net.' and
> 'ROOT-SERVERS.NET.' won't be signed as well?

Hi Marco, 

I think it is very useful. In fact, I think signing of gtld-servers.net and root-servers.net is not that useful at all.

Suppose you want to validate www.example.se, which happened to be hosted from ns[12345].unsigned.com. 

A validator, configured with trust anchor for root, attempts to validate the chain of trust from the trust-anchor to www.example.se, i.e. 

TA ->  
root(DNSKEY) ->   
se(DS) ->   
se(DNSKEY) ->   
example.se(DS) ->   
example.se(DNSKEY) ->  

If it validates correctly, do you care if it came from a server that was spoofed, hacked, b0rked, slow, has a really funny name, or from the proper servers? I don't, since it validates correctly.

If it doesn't validate correctly (i.e. bogus data), do you care where it comes from? I don't, as it doesn't validate, so I won't use it.

If part of the chain is proven unsigned, you _can't_ validate www.example.se, regardless if you _can_ validate ns.unsigned.com, gtld-serers.net or root-servers.net.

Hence, the value is in the chain of trust, not in arbitrary glue records or delegation point NS records. 

Roy Arends
Sr Researcher
Nominet UK 

More information about the dns-operations mailing list