[dns-operations] Implementation of negative trust anchors?

UFJORw== ufjorw at gmail.com
Tue Aug 27 18:51:37 UTC 2013

On Tue, Aug 27, 2013 at 6:06 PM, Carlos M. Martinez
<carlosm3011 at gmail.com> wrote:
> when I read 'an authoritative nameserver SHOULD NOT publish an invalid zone _ever_', well, I was struck by how obvious this is, and a bit ashamed at how I had never thought about it. This is something that should have always been in place.
> Same for [A|I]XFR. Slaves MUST refuse transferring invalid zones ! In that way they might keep an outdated but still validly signed zone.


This sounds to me like a bad/complex idea.

That would mean having a full-fledged DNSSEC validator in every
authserv: what a software bloat!
And what about the validation policy? What is an "invalid signature"?
What keys were used to verify the signatures? Local trust anchors? The
root? Which version of the root keys?
Should we trust the most specific key or only the root or should they
be both valid?
What if the domain is an island and no DS is published on purpose?
What if a DLV is published because the parent does not accept DS?
Which DLV database should you trust?
What if the authserv does not support the signature or the hashing algorithm?
What if the authserv is clock-drifting?
And finally: are all of these parameters the same as those in the
validators that will query the authserv?

If you got any of these wrong, the zone will not be published.
Do not expect a good availability/resiliency from that mess.

Please, let's keep authservers as simple as possible.


More information about the dns-operations mailing list