[Dnssec-deployment] Signed TLD status
Doug Barton
dougb at dougbarton.us
Mon Sep 27 16:44:37 EDT 2010
On 9/27/2010 1:41 PM, Anthony Iliopoulos wrote:
> On Mon, Sep 27, 2010 at 01:37:26PM -0700, Doug Barton wrote:
>> On 9/27/2010 4:53 AM, Olafur Gudmundsson wrote:
>>> An interesting question arises from the this data:
>>> How long should a newly signed domain wait until it submits its DS to
>>> the parent?.
>>
>> What harm is there if the child submits the DS to the parent before
>> it's signed?
>
> It breaks the validation chain, the dnssec validator will have a
> signed proof that there should be a matching DNSKEY in the child
> zone, while there would be none. Any production validator will
> treat this as a record striping-like attack and the zone will be
> marked as bogus.
Ok, interesting theory, but my question is how does the validator find
out about the DS record in the first place? DNSSEC validation happens
from the bottom up. If the validator doesn't see any RRSIGs why would it
go looking for the DNSKEY?
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the Dnssec-deployment
mailing list