[dns-operations] Implementation of negative trust anchors?
Carlos M. Martinez
carlosm3011 at gmail.com
Tue Aug 27 18:56:20 UTC 2013
I agree, triggering some script after certain events and condition zone acceptance to the result of the script is a nice approach. I like it.
On Aug 27, 2013, at 3:54 PM, Joe Abley <jabley at hopcount.ca> wrote:
>
> On 2013-08-27, at 14:51, "UFJORw==" <ufjorw at gmail.com> wrote:
>
>> That would mean having a full-fledged DNSSEC validator in every
>> authserv: what a software bloat!
>
> Personally, I prefer the approach of being able to shell out to a script that runs something like validns over the just-transferred zone, so I can make my own decisions as an operator as to what checks are sensible to run.
>
>> And what about the validation policy? What is an "invalid signature"?
>> What keys were used to verify the signatures? Local trust anchors? The
>> root? Which version of the root keys?
>> Should we trust the most specific key or only the root or should they
>> be both valid?
>> What if the domain is an island and no DS is published on purpose?
>> What if a DLV is published because the parent does not accept DS?
>> Which DLV database should you trust?
>> What if the authserv does not support the signature or the hashing algorithm?
>> What if the authserv is clock-drifting?
>> And finally: are all of these parameters the same as those in the
>> validators that will query the authserv?
>
> Indeed, being able to run my own script is good :-)
>
>
> Joe
>
More information about the dns-operations
mailing list