[dnssec-deployment] Nominet position paper about Signing the Root.

Lutz Donnerhacke lutz at iks-jena.de
Tue Dec 4 03:34:08 EST 2007

* Michael Richardson wrote:
> You don't sign the data you don't like.
> People/hosts using your set of KSKs/ZSKs simply can't verify that
> "bad" data.

Unfortunly, this does not work.

Assume a TLD with different NS entries depending on the signing party:
  - A injects NS1 and NS2 for TLD and signs those records with key kA.
  - B injects NS3 and NS4 for TLD and signs those records with key kB.

In the root zone the records are merged:
  - Requests to TLD return four NS records: NS1 to NS4.
  - The DNSSEC validator gets two possible signatures which both fail
    to verify the set of four NS records.


More information about the Dnssec-deployment mailing list