Unfortunately (and I agree that this is unfortunate) the design for DNSSEC does not protect the NS record in the parent with a signature.
The real issue here is that the DNS was designed with the assumption that you don't care where you get your records from. The NS delegation is a hint, but it's just a hint, e.g., the set of NS in the child zone needn't match the parent. DNSSEC reinforces that by validating the records indepedent of the path.
If we now think that validating the path is a key security feature, I wouldn't disagree but we should acknowledge how big a change that is to the DNS model. The changes are not trivial and are likely to be painful.
Regards, John PS: there's always dnscurve _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
