On Mon, 20 Aug 2018, Shumon Huque wrote:
On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters <[email protected]> wrote:When using DNSSEC, the resolver should follow the glue and then perform a query at the child zone to confirm the glue data. In unbound.conf terms this is called harden-glue: yes I had not thought of this, thanks for mentioning it. So if I transfer a copy of the root (or other zone), I can verify the signed parts with DNSSEC, and the glue by resolving them and verifying from the child zone. Does that leave any unverified records (are glue the only unsigned records)? Note that the child might have different records than the parent glue, so my copy of the zone might end up different in that regard - is that ok? This scheme won't work because in the general case glue records for signed zones may live in unsigned zones and thus may not be validatable at all. See glue for .COM, .NET, .ORG etc for prominent examples.
Those zones would have a signed ZONEMD but no DS record leading to a validated path anyway, so those are lost without an external (from DNSSEC) PKI which falls very far outside the scope of ZONEMD. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
