Signed root - missing RRSIG for delegation?

[Alan Clegg]

On 7/16/2010 7:42 AM, Niobos wrote:
> On 2010-07-16 12:36, Alan Clegg wrote:
>> .net isn't signed, and you don't sign "out-of-zone" data (glue and
>> delegation NS records).
> 
> But org. is signed, and gives the same result.

.org does not have a DS record in the root yet.  This is an example of a
broken chain of trust, not validatable, but not bogus.

If you are using ISC's DLV, you should still be able to validate within
.ORG (see http://www.isc.org/community/blog/201007/whats-happening-dlv
for more information on what is happening to DLV now that the root is
signed).

> But anyway, it basically boils down to:
> 
>> On 7/16/2010 6:25 AM, Niobos wrote:
>>> It's probably just my lack of knowledge
> 
> Trying to enhance that: Am I correct to state that it's not possible to
> validate a delegation NS RRset?
> You can only validate it indirectly by checking if the DS at the parent
> matches the DNSKEY in the (presumed) child.

And that the NS in the child is signed by the ZSK that is signed by the
KSK that matches the DS in the parent.

The parent is not allowed to sign the NS records (nor glue), as it does
not truly 'own' the data -- only the child has that responsibility.

> It appears that DNSSEC was designed to verify from the QNAME back up to
> the root. I was trying to do it the other way around, hence my confusion.

A leap of faith (trust anchor) provides a validatable zone which
contains a DS record which validates a child DNSKEY which provides a
validatable zone which ... but you start by doing a query for the QNAME
for which you were interested in and then chasing backwards, so yes.

I highly recommend http://dnsviz.net as a path to enlightenment.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100716/6c49139f/attachment.bin>