With QNAME minimisation and DNSSEC it does not matter about what the root servers return for the addresses of the root servers. You get referrals to TLDs or validatible NXDOMAIN. We have added techniques to lookups that mean that root servers are no longer a point where you can inject bad DATA and have it be accepted.
If the recursive server is not using QNAME minimisation, DNS COOKIES and DNSSEC validation then it is unsafe to use. All three of these are security fixes added to the DNS protocol and should be in use everywhere. -- Mark Andrews > On 4 Jun 2023, at 07:15, Doug Barton <[email protected]> wrote: > > On 6/3/23 11:03 AM, Dave Knight wrote: >>>> On Jun 3, 2023, at 1:22 AM, Doug Barton <[email protected]> wrote: >>> >>>> On 6/2/23 11:12 AM, Dave Knight wrote: >>> Regarding your assertion that you can validate the priming query with >>> DNSSEC, >> I suggested that we validate the priming response, we don't validate queries >> with DNSSEC. > > > You are correct, I was imprecise with my language there. Hopefully my meaning > was well taken. > >>> all you can validate is the NS set. The host records cannot be validated >>> because root-servers.net is not signed. >> Good point! >> They're still used to replace what was provided in the root.hints after the >> priming response is received though. > > Right, but that's not relevant to your assertion that we don't need OOB > validation because we can validate the priming query with DNSSEC. > > > 1. The priming query uses root hints, whether it's a file or compiled in > 2. The signature in the root zone only covers the host names for the root > delegation, which are incredibly unlikely to ever change > 3. The host records for the root servers cannot be validated with DNSSEC > > Since the host records are the interesting bit, we do absolutely need to make > sure that we can sanity check them somehow. I'm not sure Chris' suggestion to > essentially "vote" on which host records are the right ones based on the > results returned from polling all the known addresses is the right solution. > > Personally I would love to see the political drama around signing > root-servers.net go away and have that zone signed already. > > Doug > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
