On 10/31/19 8:38 PM, John Levine wrote: >> root-servers.net be DNSSEC signed, but without a secure delegation. ... > Do any DNS resolvers use root-servers.net? I thought they took an IP > address from the local cache file and then an NS query to get the > current root set. This doesn't strike me as a problem we urgently > need to solve.
Knot Resolver does refresh all the info by default, i.e. the builtin root server names and addresses only get used for bootstrapping. See also https://tools.ietf.org/html/rfc8109#section-3.3 Even so, I can't immediately see potential for a real-life problem if that zone gets signed (normally). It's normal to use glue addresses without validating them - even unavoidable in the common cases of in-bailiwick nameservers (say, NS cz.) >> (Also, I think the ADoT requirements should include an assumption that ADoT >> is not supported unless the nameserver name explicitly signals such at or >> under the nameserver's name.) > I'm not yet prepared to rule out approaches where the parent sends the signal. +1. I suspect it might be hard to avoid revealing at least (in-bailiwick) NS name/zone without that or some "hack" like what DNSCurve does, so better avoid unnecessary restrictions too soon. Note that SNI encryption for TLS is also planned to be bootstrapped from the same DNS subtree, so designing it whole to bootstrap without leaking any name might be tough. Still, perhaps NS name will be sufficient in clear - to simplify achieving other goals of the protocol, given that NS addresses will basically reveal their names anyway. --Vladimir
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
