Signed root - missing RRSIG for delegation?
Niobos
niobos at dest-unreach.be
Fri Jul 16 12:22:59 UTC 2010
That makes it clear for me; thank you very much!
As an unrelated side-note: does anyone know when org.'s DS will be
included in the root zone?
Niobos
On 2010-07-16 14:08, Alan Clegg wrote:
>> Trying to enhance that: Am I correct to state that it's not possible to
>> validate a delegation NS RRset?
>> You can only validate it indirectly by checking if the DS at the parent
>> matches the DNSKEY in the (presumed) child.
>
> And that the NS in the child is signed by the ZSK that is signed by the
> KSK that matches the DS in the parent.
>
> The parent is not allowed to sign the NS records (nor glue), as it does
> not truly 'own' the data -- only the child has that responsibility.
>
>> It appears that DNSSEC was designed to verify from the QNAME back up to
>> the root. I was trying to do it the other way around, hence my confusion.
>
> A leap of faith (trust anchor) provides a validatable zone which
> contains a DS record which validates a child DNSKEY which provides a
> validatable zone which ... but you start by doing a query for the QNAME
> for which you were interested in and then chasing backwards, so yes.
>
> I highly recommend http://dnsviz.net as a path to enlightenment.
>
> AlanC
More information about the bind-users
mailing list