[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

[Florian Weimer]

* Phil Pennock:

> Double-check: in such a scenario, if the request is for the recursive to
> validate DNSSEC and this zone is not opt-out, then the recursive would
> HAVE to get the data from the child, because the parent won't have RRSIG
> records for the glue NS, right?

DNSSEC is designed under the assumption that easy spoofing of DNS
responses is not possible: Infrastructure records are not signed, and
a resolver has to hope that the non-signed portions of a server
response are genuine.  Recovery from misleading NS or glue records can
be rather difficult.

Unbound has an optional mode where it tries very hard to verify
infrastructure records, but at least in the past, it added a high
number of new queries (to the degree that it became difficult to run a
resolver behind NAT).

Resolvers typically do not process many NS queries from clients, so
there is generally no need to fetch NS RRsets and their signatures,
and verify them.  There are also different implementation choices when
it comes to caching of infrastructure records (separate caches or one
unified cache for everything), and to what degree such records are used
to route completely separate queries to upstream servers.