> On 26 Jul 2022, at 09:21, Petr Špaček <[email protected]> wrote: > > On 28. 06. 22 16:20, Bob Harold wrote: > > But the parent NS set is not covered by DNSSEC, and thus could be spoofed?? > > (Wish we could fix that!) > > I share your wish. > > Does anyone else want to contribute? > > Can people here share their memories of why it is not signed? I wasn't doing > DNS when this was designed and I think it would be good to understand the > motivation before we start proposing crazy things.
If the child is not signed then it doesn’t matter if the parent is signed. You can still spoof it. If the child is signed then you can detect when the parent is spoofed and the lookup in the child fail. Today with DNS COOKIE you can detect if you are getting spoofed referrals “from” the parent. > Thank you for your time. > > -- > Petr Špaček > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
