On Tue, 26 Aug 2008, David Conrad wrote: > On Aug 26, 2008, at 12:08 PM, Matt Larson wrote: > >Note that the root-servers.net zone as configured on > >root.verisignlabs.com is not signed, since the root-servers.net zone > >would not be signed, nor would it need to be, if the root were > >signed. > > Sorry. Perhaps I need more caffeine. Why not?
Validation will work without it. A validator will either be able to form a chain of trust to a signed zone or it won't, and validate the answer to its original query or not. A signed root-servers.net zone is not a zone in that chain of trust. Many validators won't even use signed data in the additional section (e.g., Unbound Java for sure and, I think, Unbound C; not sure without checking the code first.) Matt _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
