[dnssec-deployment] About "no validation" for DNS root signing strategy

[Peter Koch]

On Mon, Oct 12, 2009 at 02:20:20PM -0400, Thierry Moreau wrote:

> 5.1. Special Considerations for Islands of Security
> 
> Islands of security (see [RFC4033]) are signed zones for which it is
> not possible to construct an authentication chain to the zone from
> its parent. Validating signatures within an island of security
> requires that the validator have some other means of obtaining an
> initial authenticated zone key for the island. If a validator cannot
> obtain such a key, it SHOULD switch to operating as if the zones in
> the island of security are unsigned.

[...]

> What the contemplated root deployment strategy asks for is to replace 
> theabove SHOULD by a MUST. Otherwise, the DNSSEC standard allows "bogus" 
> returned by a resolver software implementation even in the absence of 
> "other means of obtaining an initial authenticated key" .

well, that can be questioned since the text quoted above doesn't exactly
specify where from to "switch".  This boils down to the question what should
trigger the validation -- the presence of a trust anchor somewhere up in the
hierarchy or the presence of RRSIGs in the response.  RFC4035 suggests the former,
if I am not mistaken(*).  But thou shalt not scrape the root KSK/SEP.  Not only
would this lead to validation failures due do the mismatch, don't forget
that during incremental deployment only some of the root name servers would
add DNSSEC material to the responses in the first place.  What worries me a bit
is that it appears so hard to understand that the DURZ has nothing to do
with validation but is only there to "fill the pipe".

-Peter

(*) in which case no subsequent DNSKEY queries for the apex (".") should be
    expected.