[Dnssec-deployment] .EU only publishes DS records that it can observe on the authoritative nameservers

Thu Mar 31 07:49:14 EDT 2011

In message <4D9421D8.6090008 at simon.arlott.org.uk>, Simon Arlott writes:
> >> not have visibility of either key and then make the zone become
> >> unsigned when they update the DS records.
> >=20
> > Rubbish. Adding DNSKEY's is a standard part of rolling a DNSKEY.
> > You need a extremely last number of keys to not be able to fit them
> > all into a 64K DNS/TCP message.
> 
> I was thinking of temporary network issues preventing it reaching one of
> the nameservers. DS record insertion at the parent zone shouldn't depend
> on reachability at the child zone.

You don't need to reach all of the servers.  As long as the answer from
one of the servers validates and matches that should be enough.

> What if someone were able to intercept the registry's queries and return
> an unsigned zone during the (predictable) time that a DS record is added?=

Well the registry should be doing DNSSEC validation with the DS records
it already has so such responses would be rejected.

> --=20
> Simon Arlott
> 
> 
> --------------ms080700020203060909020809
> Content-Type: application/pkcs7-signature; name="smime.p7s"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="smime.p7s"
> Content-Description: S/MIME Cryptographic Signature
> 
> MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXjCC
> BSswggMToAMCAQICAwcA0jANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
> HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
> ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wOTA2
> MTIxNjAxMzlaFw0xMTA2MTIxNjAxMzlaMDgxFTATBgNVBAMTDFNpbW9uIEFybG90dDEfMB0G
> CSqGSIb3DQEJARYQc2ltb25AYXJsb3R0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
> AQoCggEBALIIK63ZkK5EhTZGUa5tevs/o/KTweoehTe9btmhWX7X4xce1TG6f14ofHL9VHR2
> ID1qmau8phtyiu+B2XtFf5Ac8PdKPlsWT9qfkF9IC98rdY9b6v/uqyMRU4ADnFS8NmRI4QlZ
> JfFVynjpIJ4GOQxmbo5WHpDmfhxY5uDZPPbLaDniFQIh2Fc0vt7lqXAXuXKsB08uEzaidrEp
> 2qimmzY5QMc51ZEHtIyIujEDWYnldwNX/9rKzLoyQikR6707y5nI0fTkIfLbuQsjS1D8NKSU
> RZEhO6DszajpKy4CpePnADo5xiEroNLhbEtWfIX2A0EBtxQD252+Pa7U3XMCvGECAwEAAaOB
> /DCB+TAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2Vy
> dGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBA
> BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMG
> CWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNh
> Y2VydC5vcmcwGwYDVR0RBBQwEoEQc2ltb25AYXJsb3R0Lm9yZzANBgkqhkiG9w0BAQUFAAOC
> AgEAEjefE05Vu2bIiODPN49dfWNe7AMuxbAyZ96dix6uKTV19TqoDbMxZOyOJ/t1mD0pQ51B
> uzWDKytVPv56k92tOB7Elxu1+iwXdTJMMDRlmcRMFxog4JCvwGUCe5JOFlmx/Gn8MXwYDn89
> ovN2yiG9Zed0WptqmO6j5+e6egJAU7C07KhtZeC+SJqs9F6H/I5gh28+GXAg9tMaL8aEQ4qQ
> 5oiAdrkbhW7VtUnGE1HqnNBDVX16CzXO7myCcM+biHox6jW5WM5IG5AkOvJuziQRd+Z+UM4w
> +efyuY+1SgRmB1LDahtvc/AOWqNHAmYe6JK2CzIe2ArT7Rq/+tsi2Fj3yAK3ZlV/QrAvqzZD
> WcUz3JyfAbSlutpF9Lr+XGOJFNpO2/l8vPVft8ikYXPGF7ZR4HMcClj611iqPtg4GoA7uwz2
> C+B7w40dBeeIaSzbEg/0QRJvh3ifK5RKkM1p4USDMGscX8sr6SRV7B0bzE2gJYjxezJkW8KS
> OWzcZQI+uAvXeTAWGdwo0rJW2ruB2iy2FaMMBaZ/9TOISXUsAGSUgRVWGe77rz1qj7bzLeRl
> eRoo8Sv+cWnkq/YuhAm9XC+N2M/dJZVhlNMloqcAMr7ZzkGSkzarfluQxZjnhQga07oMWXUz
> u9biqyj7aburnq4UvKD7jOEq5aRRyNtQIGCs5hQwggUrMIIDE6ADAgECAgMHANIwDQYJKoZI
> hvcNAQEFBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl
> cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN
> AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDkwNjEyMTYwMTM5WhcNMTEwNjEyMTYwMTM5
> WjA4MRUwEwYDVQQDEwxTaW1vbiBBcmxvdHQxHzAdBgkqhkiG9w0BCQEWEHNpbW9uQGFybG90
> dC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyCCut2ZCuRIU2RlGubXr7
> P6Pyk8HqHoU3vW7ZoVl+1+MXHtUxun9eKHxy/VR0diA9apmrvKYbcorvgdl7RX+QHPD3Sj5b
> Fk/an5BfSAvfK3WPW+r/7qsjEVOAA5xUvDZkSOEJWSXxVcp46SCeBjkMZm6OVh6Q5n4cWObg
> 2Tz2y2g54hUCIdhXNL7e5alwF7lyrAdPLhM2onaxKdqopps2OUDHOdWRB7SMiLoxA1mJ5XcD
> V//aysy6MkIpEeu9O8uZyNH05CHy27kLI0tQ/DSklEWRITug7M2o6SsuAqXj5wA6OcYhK6DS
> 4WxLVnyF9gNBAbcUA9udvj2u1N1zArxhAgMBAAGjgfwwgfkwDAYDVR0TAQH/BAIwADBWBglg
> hkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
> b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsG
> AQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEE
> JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMBsGA1UdEQQUMBKBEHNp
> bW9uQGFybG90dC5vcmcwDQYJKoZIhvcNAQEFBQADggIBABI3nxNOVbtmyIjgzzePXX1jXuwD
> LsWwMmfenYserik1dfU6qA2zMWTsjif7dZg9KUOdQbs1gysrVT7+epPdrTgexJcbtfosF3Uy
> TDA0ZZnETBcaIOCQr8BlAnuSThZZsfxp/DF8GA5/PaLzdsohvWXndFqbapjuo+fnunoCQFOw
> tOyobWXgvkiarPReh/yOYIdvPhlwIPbTGi/GhEOKkOaIgHa5G4Vu1bVJxhNR6pzQQ1V9egs1
> zu5sgnDPm4h6Meo1uVjOSBuQJDrybs4kEXfmflDOMPnn8rmPtUoEZgdSw2obb3PwDlqjRwJm
> HuiStgsyHtgK0+0av/rbIthY98gCt2ZVf0KwL6s2Q1nFM9ycnwG0pbraRfS6/lxjiRTaTtv5
> fLz1X7fIpGFzxhe2UeBzHApY+tdYqj7YOBqAO7sM9gvge8ONHQXniGks2xIP9EESb4d4nyuU
> SpDNaeFEgzBrHF/LK+kkVewdG8xNoCWI8XsyZFvCkjls3GUCPrgL13kwFhncKNKyVtq7gdos
> thWjDAWmf/UziEl1LABklIEVVhnu+689ao+28y3kZXkaKPEr/nFp5Kv2LoQJvVwvjdjP3SWV
> YZTTJaKnADK+2c5BkpM2q35bkMWY54UIGtO6DFl1M7vW4qso+2m7q56uFLyg+4zhKuWkUcjb
> UCBgrOYUMYIDlDCCA5ACAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0
> cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5
> MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwcA0jAJBgUrDgMCGgUAoIIB
> 6DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTAzMzEwNjQw
> MjRaMCMGCSqGSIb3DQEJBDEWBBQIqTdt0MTuFt9zCtelebBAd7xShTBfBgkqhkiG9w0BCQ8x
> UjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
> AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgZEGCSsGAQQBgjcQBDGBgzCBgDB5MRAw
> DgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNV
> BAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
> Y2FjZXJ0Lm9yZwIDBwDSMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQKEwdSb290
> IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQg
> U2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
> BwDSMA0GCSqGSIb3DQEBAQUABIIBACh1kg32OKLj3SA0gOKQKxHSbBH9LIdGssIR7/xewrHM
> KxuBsmq+HSUlIWd3J5KDddAlvm7g3MwTjkzY3b8Ed1d61ZXEZzB6oyRUsFJudihQQyJfek/Q
> rQwLTXgPCl7WifP1TMRO7YIVTWe6t64wRBXFgP9/DbqZa8ggIuwz0UvQUsSi05FeX3Bdec3B
> yiN8vcLhHgDT9/fhJYQygfu2vB838VM+b3Q/zcdUj0TbuzQ+n+TYdHQYyj1JZhK2yGRpHwMK
> WxAfmNQ3x69E60pRzENY9IDuTWMr/dH+wWSEk2c9xEpp2P74NmUzRt7e9fSL60iui8P6PeTC
> yYXZPRYKSZEAAAAAAAA=
> --------------ms080700020203060909020809--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org