[dns-operations] Implementation of negative trust anchors?

Carlos M. Martinez carlosm3011 at gmail.com
Tue Aug 27 18:56:20 UTC 2013


I agree, triggering some script after certain events and condition zone acceptance to the result of the script is a nice approach. I like it.
On Aug 27, 2013, at 3:54 PM, Joe Abley <jabley at hopcount.ca> wrote:

> 
> On 2013-08-27, at 14:51, "UFJORw==" <ufjorw at gmail.com> wrote:
> 
>> That would mean having a full-fledged DNSSEC validator in every
>> authserv: what a software bloat!
> 
> Personally, I prefer the approach of being able to shell out to a script that runs something like validns over the just-transferred zone, so I can make my own decisions as an operator as to what checks are sensible to run.
> 
>> And what about the validation policy? What is an "invalid signature"?
>> What keys were used to verify the signatures? Local trust anchors? The
>> root? Which version of the root keys?
>> Should we trust the most specific key or only the root or should they
>> be both valid?
>> What if the domain is an island and no DS is published on purpose?
>> What if a DLV is published because the parent does not accept DS?
>> Which DLV database should you trust?
>> What if the authserv does not support the signature or the hashing algorithm?
>> What if the authserv is clock-drifting?
>> And finally: are all of these parameters the same as those in the
>> validators that will query the authserv?
> 
> Indeed, being able to run my own script is good :-)
> 
> 
> Joe
> 




More information about the dns-operations mailing list