[Dnssec-deployment] Signed TLD status
casey at deccio.net
Mon Sep 27 23:43:17 EDT 2010
On Mon, Sep 27, 2010 at 6:42 PM, James M Galvin <jgalvin at afilias.info> wrote:
> -- On September 28, 2010 1:04:25 AM +0000 Evan Hunt <each at isc.org> wrote
> regarding Re: [Dnssec-deployment] Signed TLD status --
>> > Should this matter? Shouldn't it be the case that the resolver is
>> > not going to look for validation until it knows the zone is
>> > signed, which it won't know until the TTL in its cache expires and
>> > it re-queries? If it does this it will then get everything it
>> > needs (or follow up asking for it) and move on.
>> The zone's NS record might expire from the cache before all of the
>> other records have, in which case the resolver would get a new
>> delegation and see the DS; the unsigned records remaining in the
>> cache would then appear to be invalid.
> Yes but shouldn't the resolver realize it doesn't have the SIG records and
> thus query for them?
As a zone administrator you can't make that assumption for several
reasons. First, this special consideration is implementation
specific, so there's not guarantee that a validating resolver will be
so smart. Also, it may be that a validating resolver does not query
authoritative servers directly but forward its requests to an upstream
recursive resolver. In such a case, the validation server is at the
whim of the upstream cache, regardless of whether the it does DNSSEC
validation or not, and whether it practices extra DNSSEC diligence
(e.g., to find updated RRsets that have RRSIGs) or not.
Proper TTL expiration is the only way to make sure obsolete RRsets are
effectively flushed from caches, so they don't result in bogus
More information about the Dnssec-deployment