Petr Špaček wrote on 2022-07-26 06:21:
On 28. 06. 22 16:20, Bob Harold wrote:
> But the parent NS set is not covered by DNSSEC, and thus could be
spoofed??
> (Wish we could fix that!)
I share your wish.
Does anyone else want to contribute?
only to fight such a change.
Can people here share their memories of why it is not signed? I wasn't
doing DNS when this was designed and I think it would be good to
understand the motivation before we start proposing crazy things.
it exists in two places. only one can be authoritative. therefore only
one can be signed. as olafur said down-thread, RFC103x ought to have
used different rr types for delegation vs. apex nameserver list. now we
live with it.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
