[dns-operations] Implementation of negative trust anchors?
Carlos M. Martinez
carlosm3011 at gmail.com
Tue Aug 27 19:01:49 UTC 2013
I mostly agree, but as someone pointed out, the zone operator will be immediately (and painfully) aware of the mishap. Just as if you have a syntax error in your zone file. I fail to see how this result in 'worse' availability compared to what we have today.
Regarding your What … ? questions, I agree you need to answer them, but well, they should be easy to answer if you intend to publish signed zones. And, if you cannot positively answer those questions for your zone and your three or four slaves, well, what can you expect from the Internet as a whole ?
On Aug 27, 2013, at 3:51 PM, "UFJORw==" <ufjorw at gmail.com> wrote:
> On Tue, Aug 27, 2013 at 6:06 PM, Carlos M. Martinez
> <carlosm3011 at gmail.com> wrote:
>> when I read 'an authoritative nameserver SHOULD NOT publish an invalid zone _ever_', well, I was struck by how obvious this is, and a bit ashamed at how I had never thought about it. This is something that should have always been in place.
>> Same for [A|I]XFR. Slaves MUST refuse transferring invalid zones ! In that way they might keep an outdated but still validly signed zone.
> This sounds to me like a bad/complex idea.
> That would mean having a full-fledged DNSSEC validator in every
> authserv: what a software bloat!
> And what about the validation policy? What is an "invalid signature"?
> What keys were used to verify the signatures? Local trust anchors? The
> root? Which version of the root keys?
> Should we trust the most specific key or only the root or should they
> be both valid?
> What if the domain is an island and no DS is published on purpose?
> What if a DLV is published because the parent does not accept DS?
> Which DLV database should you trust?
> What if the authserv does not support the signature or the hashing algorithm?
> What if the authserv is clock-drifting?
> And finally: are all of these parameters the same as those in the
> validators that will query the authserv?
> If you got any of these wrong, the zone will not be published.
> Do not expect a good availability/resiliency from that mess.
> Please, let's keep authservers as simple as possible.
More information about the dns-operations