[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

[Paul Vixie]

> I realized I should have also made the point that if a registry checks the
> signature of an RRset before it puts it into the registry's zone, it can
> reject false records from the registrar and thereby block this sort of
> attack.

of all the things i can think that a registrar could engineer and remain
profitable, RFC 5011 style "must sign updates using current key" is not even
on the list.  the NS RRs in the delegating (parent) zone are not signed by
anybody, so requiring that their out-of-band representation from registrant to
registrar, or that their in-band from registrar to registry, be signed using
any key we can think of or name, would be a really great big change.

> Of course, if it's the registrar who is creating the signed records, then if
> the registrar is penetrated it's still possible to spoof the NS records.

that's our situation ("possible to spoof") but it's not constrained by the
roles, since the records aren't going to be signed in the parent.  only answer
data is signed, not delegation data.  does this relaxation help you to panic?