[dns-operations] issue with DNSSEC on one of the root NS with IPv6?

Jim Reid jim at rfc1035.com
Tue May 16 21:43:19 UTC 2017


> On 16 May 2017, at 22:15, Alarig Le Lay <alarig at swordarmor.fr> wrote:
> 
> The root zone is not signed. Either with IPv6 or IPv4.

You’ve not really got a clear grasp of this DNS thing, have you?

1) The root zone has been signed for almost 7 years.

2) It doesn’t matter to DNSSEC if queries and responses use IPv4 or IPv6. Secure DNS works just fine with both. Well, modulo some corner cases with fragmentation which don’t matter here.

3) The DS record indicates that a child (delegation) is signed. It goes in the parent zone, not the child zone.

4) Asking for a DS record for “.” makes no sense. The root zone by definition does not have a parent zone. Which is where the DS record for its KSK would be. If such a DS record existed. Which it doesn’t.

5) Try asking the root servers for DNSKEY records for “.”.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170516/86b64827/attachment.sig>


More information about the dns-operations mailing list