* Phil Pennock: > Double-check: in such a scenario, if the request is for the recursive to > validate DNSSEC and this zone is not opt-out, then the recursive would > HAVE to get the data from the child, because the parent won't have RRSIG > records for the glue NS, right?
DNSSEC is designed under the assumption that easy spoofing of DNS responses is not possible: Infrastructure records are not signed, and a resolver has to hope that the non-signed portions of a server response are genuine. Recovery from misleading NS or glue records can be rather difficult. Unbound has an optional mode where it tries very hard to verify infrastructure records, but at least in the past, it added a high number of new queries (to the degree that it became difficult to run a resolver behind NAT). Resolvers typically do not process many NS queries from clients, so there is generally no need to fetch NS RRsets and their signatures, and verify them. There are also different implementation choices when it comes to caching of infrastructure records (separate caches or one unified cache for everything), and to what degree such records are used to route completely separate queries to upstream servers. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
