[Dnssec-deployment] Signed TLD status

Olafur Gudmundsson ogud at ogud.com
Mon Sep 27 16:49:19 EDT 2010


On 27/09/2010 4:44 PM, Doug Barton wrote:
> On 9/27/2010 1:41 PM, Anthony Iliopoulos wrote:
>> On Mon, Sep 27, 2010 at 01:37:26PM -0700, Doug Barton wrote:
>>> On 9/27/2010 4:53 AM, Olafur Gudmundsson wrote:
>>>> An interesting question arises from the this data:
>>>> How long should a newly signed domain wait until it submits its DS to
>>>> the parent?.
>>>
>>> What harm is there if the child submits the DS to the parent before
>>> it's signed?
>>
>> It breaks the validation chain, the dnssec validator will have a
>> signed proof that there should be a matching DNSKEY in the child
>> zone, while there would be none. Any production validator will
>> treat this as a record striping-like attack and the zone will be
>> marked as bogus.
>
> Ok, interesting theory, but my question is how does the validator find
> out about the DS record in the first place? DNSSEC validation happens
> from the bottom up. If the validator doesn't see any RRSIGs why would it
> go looking for the DNSKEY?
>

It will get the DS as part of the NS referral answer and thus knows 
there should be a signed zone.

	Olafur


More information about the Dnssec-deployment mailing list