On 6/3/23 11:03 AM, Dave Knight wrote:
On Jun 3, 2023, at 1:22 AM, Doug Barton <[email protected]> wrote:
On 6/2/23 11:12 AM, Dave Knight wrote:
Regarding your assertion that you can validate the priming query with DNSSEC,
I suggested that we validate the priming response, we don't validate queries
with DNSSEC.
You are correct, I was imprecise with my language there. Hopefully my
meaning was well taken.
all you can validate is the NS set. The host records cannot be validated
because root-servers.net is not signed.
Good point!
They're still used to replace what was provided in the root.hints after the
priming response is received though.
Right, but that's not relevant to your assertion that we don't need OOB
validation because we can validate the priming query with DNSSEC.
1. The priming query uses root hints, whether it's a file or compiled in
2. The signature in the root zone only covers the host names for the
root delegation, which are incredibly unlikely to ever change
3. The host records for the root servers cannot be validated with DNSSEC
Since the host records are the interesting bit, we do absolutely need to
make sure that we can sanity check them somehow. I'm not sure Chris'
suggestion to essentially "vote" on which host records are the right
ones based on the results returned from polling all the known addresses
is the right solution.
Personally I would love to see the political drama around signing
root-servers.net go away and have that zone signed already.
Doug
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
