[dns-operations] .com/.net DNSSEC operational message

[Mark Andrews]

In message <slrnicmeva.lu.lutz at belenus.iks-jena.de>, Lutz Donnerhacke writes:
> Please keep in mind, that the Root-Servers does not send *signed* glue, so
> there is no fear for exploding responses. If the root-server is also
> responsible for a delegated zone (like GTLD-SERVERS.NET), it will include
> signed glue (if there is enough space). So Florians fears can be caught be
> preventing root-servers from serving additional zones at the same time.

The additional records in the response to a priming query are NOT
glue records.  Glue is only returned when returning a referral.
The response to a priming query is NOT a referral.  While the root
zone contains address records for a.root-servers.net they are NOT
supposed to be returned to a priming query as they are below a zone
cut (.NET).  Unbound is known to break this rule.

If the root servers didn't also serve root-servers.net you would
just get the NS RRset and no (zero) address records in the response.
If/when root-servers.net is signed then signatures would be added
along with address records to the response to the priming queries.

I did suggest that root-servers.net get signed as part of the DURZ
experiment but that did not happen.  It would have been some benefit
to everyone as you would have had fragmented UDP responses being
sent from the root servers *before* the root zone was signed.  Now
people think there firewalls are configured properly when they may
not be.

If/when root-servers.net is signed I think we are going to have to
do a similar experiment by progressively rolling out a signed
root-servers.net. 

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org