ru tld down?
Gaurav Kansal
gaurav.kansal at nic.in
Fri Feb 9 08:31:26 UTC 2024
> On 09-Feb-2024, at 02:03, marka at isc.org wrote:
>
>
>
>> On 9 Feb 2024, at 03:10, darkdevil at darkdevil.dk wrote:
>>
>>> Den 31-01-2024 kl. 20:47 skrev Bjørn Mork:
>>> Why do they put their DNS servers in an unsigned zone?
>>
>> To try to make a more in-depth example:
>>
>> At the moment, .COM/.NET is relying on GTLD-SERVERS.NET for the authoritative DNS.
>>
>> GTLD-SERVERS.NET is currently relying on NSTLD.COM for the authoritative DNS.
>>
>> With this example, you are asking why neither GTLD-SERVERS.NET nor NSTLD.COM has been DNSSEC signed?
>>
>> In that case, I would probably be extending that a bit, considering a lot of critical resources out there (even if announced as IPv6 /48 and IPv4 /24) still do not have any RPKI ROA, at all.
>>
>> (But maybe that's just me...)
>
> The NS records in a delegation are NOT SIGNED. The glue addresses in a referral are NOT SIGNED.
For taking care of referrals and delegations, ietf has started preliminary work. More info here -
https://mailarchive.ietf.org/arch/msg/dd/srNtevzS-jrPzMxYv1nATCY5JkM/
> Resolvers use those. They should get back signed answers from signed zones which are verifiable.
> If they get back unsigned answers for signed zones they will be rejected. It they get back unsigned
> answers from an unsigned zone then all bets are off. DNSSEC sign your zones if you are worried
> about that. There is potential for information leakage with this strategy, but not wrong answers
> being returned from signed zones. Signing the zones would help a little with the information
> leakage when the servers are not learnt by glue. It is impossible to prevent all information
> leakage even if all zones, delgations and glue was signed.
>
>
>> --
>> Med venlig hilsen / Kind regards,
>> Arne Jensen
>>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20240209/0a640b7e/attachment.html>
More information about the NANOG
mailing list