On 8/1/18, 07:29, "DNSOP on behalf of Tony Finch" <dnsop-boun...@ietf.org on behalf of d...@dotat.at> wrote:
>I was kind of assuming that the NSEC chain would include the glue - >obviously delegations and glue in opt-out intervals are not protected at >all. The reason cut point information is not signed is that the copies are not authoritative, that is, the delegating zone is not the source of the records, they are merely hints. The reason this wasn't seen as an oversight is the thought that if bad glue were followed, the DNSSEC chain would not work (for the data set sought) so long as the private keys (involved) were private. The reason there is no overall zone signature is that the goal was data (set) integrity, not zone transfer integrity. If the issue is zone transfer integrity, a solution will need to go beyond what DNSSEC is defined to be now. (Not saying this is an obstacle, pointing out that DNSSEC wasn't designed to do accomplish that.) FWIW, there's TSIG protection of AXFR messages (hop-by-hop), which isn't DNSSEC and then other operational practices, as examples of other tools. (That is obvious to many, just including for completeness.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop