[dns-operations] DNSSEC in the root, please help me understand
Roy Arends
roy at dnss.ec
Fri Jan 15 20:35:30 UTC 2010
On Jan 15, 2010, at 3:38 AM, Marco Davids wrote:
> Hello everyone,
>
> Can someone please enlighten me a little bit on the following:
>
> * root will be signed any time soon.
>
> How usefull is that, if the zones 'net.', 'gtld-servers.net.' and
> 'ROOT-SERVERS.NET.' won't be signed as well?
Hi Marco,
I think it is very useful. In fact, I think signing of gtld-servers.net and root-servers.net is not that useful at all.
Suppose you want to validate www.example.se, which happened to be hosted from ns[12345].unsigned.com.
A validator, configured with trust anchor for root, attempts to validate the chain of trust from the trust-anchor to www.example.se, i.e.
TA ->
root(DNSKEY) ->
se(DS) ->
se(DNSKEY) ->
example.se(DS) ->
example.se(DNSKEY) ->
www.examle.se(A)
If it validates correctly, do you care if it came from a server that was spoofed, hacked, b0rked, slow, has a really funny name, or from the proper servers? I don't, since it validates correctly.
If it doesn't validate correctly (i.e. bogus data), do you care where it comes from? I don't, as it doesn't validate, so I won't use it.
If part of the chain is proven unsigned, you _can't_ validate www.example.se, regardless if you _can_ validate ns.unsigned.com, gtld-serers.net or root-servers.net.
Hence, the value is in the chain of trust, not in arbitrary glue records or delegation point NS records.
Roy Arends
Sr Researcher
Nominet UK
More information about the dns-operations
mailing list