[dnssec-deployment] Nominet position paper about Signing the Root.
lutz at iks-jena.de
Tue Dec 4 03:34:08 EST 2007
* Michael Richardson wrote:
> You don't sign the data you don't like.
> People/hosts using your set of KSKs/ZSKs simply can't verify that
> "bad" data.
Unfortunly, this does not work.
Assume a TLD with different NS entries depending on the signing party:
- A injects NS1 and NS2 for TLD and signs those records with key kA.
- B injects NS3 and NS4 for TLD and signs those records with key kB.
In the root zone the records are merged:
- Requests to TLD return four NS records: NS1 to NS4.
- The DNSSEC validator gets two possible signatures which both fail
to verify the set of four NS records.
More information about the Dnssec-deployment