[dns-operations] Implementation of negative trust anchors?

Joe Abley jabley at hopcount.ca
Tue Aug 27 18:54:03 UTC 2013


On 2013-08-27, at 14:51, "UFJORw==" <ufjorw at gmail.com> wrote:

> That would mean having a full-fledged DNSSEC validator in every
> authserv: what a software bloat!

Personally, I prefer the approach of being able to shell out to a script that runs something like validns over the just-transferred zone, so I can make my own decisions as an operator as to what checks are sensible to run.

> And what about the validation policy? What is an "invalid signature"?
> What keys were used to verify the signatures? Local trust anchors? The
> root? Which version of the root keys?
> Should we trust the most specific key or only the root or should they
> be both valid?
> What if the domain is an island and no DS is published on purpose?
> What if a DLV is published because the parent does not accept DS?
> Which DLV database should you trust?
> What if the authserv does not support the signature or the hashing algorithm?
> What if the authserv is clock-drifting?
> And finally: are all of these parameters the same as those in the
> validators that will query the authserv?

Indeed, being able to run my own script is good :-)


Joe




More information about the dns-operations mailing list