[Dnssec-deployment] DNSSEC aware recursive name servers
ben at links.org
Fri Aug 5 06:29:41 EDT 2011
On Fri, Aug 5, 2011 at 11:15 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Ben Laurie:
>> On Fri, Aug 5, 2011 at 10:57 AM, Ondřej Surý <ondrej.sury at nic.cz> wrote:
>>> DS for cz is in the root zone and not on the nic.cz servers.
>> Yes, I understand that. However, a DNSSEC unaware resolver does not.
>> This seems like a bit of a design flaw in DNSSEC.
>> If the spec had said for the child to also serve its own DS record and
>> recursively fetch the parents RRSIG(s) for it, then even
>> DNSSEC-unaware recursive resolvers would have a chance...
> There's a chicken-and-egg problem. The parent might want to check that
> key records exist before making the delegation and publishing the DS
> RRset. I agree that this is quite odd. Perhaps QTYPE=DS should have
> used a meta-type because the processing is special.
> But this ship has sailed. You cannot expect a DNSSEC-unaware resolver
> *not* to strip RRs with owner names totally unrelated to the query, as
> it happens with NSEC3 records.
Yeah, NSEC3 does seem problematic :-)
More information about the Dnssec-deployment