[dns-operations] .com/.net DNSSEC operational message
Florian Weimer
fweimer at bfk.de
Mon Nov 1 13:52:53 UTC 2010
* Joe Abley:
> The priming query ". IN NS?" with DO=1 already includes an RRSIG
> over the NS set; since the data from the ROOT-SERVERS.NET zone is
> all additional-section courtesy glue, it's not obvious to me that
> signing ROOT-SERVERS.NET would increase the size of the priming
> response.
There are some servers that add RRSIGs known to them to the additional
section. I'm pretty certain we don't want them on the priming
response.
> Discussions to date have tended to conclude that there's no actual
> security benefit from signing the ROOT-SERVERS.NET zone.
I'm not sure I agree with that. If there's ever another practical
blind spoofing vulnerability, having a signed ROOT-SERVERS.NET zone
seems desirable because it's the only way you can be sure that you're
talking to the right addresses, sort of additional protocol
enhancements.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations
mailing list