hat tip to .gov hostmasters

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Sep 22 10:27:07 CDT 2008

On Mon, Sep 22, 2008 at 11:11:40AM -0400, Keith Medcalf wrote:
> > Correct, you need a validating, security-aware stub resolver, or the
> > ISP needs to validate the records for you.
> That would defeat the entire purpose of using DNSSEC.  In order for DNSSEC to actually provide any improvement in security whatsoever, the ROOT ZONE (.) needs to be signed, and every delegation up the chain needs to be signed.  And EVERY resolver (whether recursive or local on host) needs to understand and enforce DNSSEC.

	er, no. the root zone does not need to be signed and not every delegation.
	and only the resolvers in the path from auth servers to validators need to 
	ensure that the DNSSEC data is retained.

	if the only TA I have is for .SE (configured in my validator) and my resolver
	passes the DNSSEC data unchanged it received from the .SE servers, then I can
	securely trust the (short) validation chain when I look up  axfr.se.
	even though -nothing else- is signed.

> If even one delegation is unsigned or even one resolver does not enforce DNSSEC, then, from an actual security perspective, you will be far worse off than you are now.

	depends on your POV of course... 

> Until such time as EVERY SINGLE DOMAIN including the root is signed and every single DNS Server and resolver (including the local host resolvers) understand and enforce DNSSEC you should realize that DNSSEC does nothing for you whatsoever except give the uneducated a false sense of "security".

	I think  you have unrealistic expectations.  Time will tell.
> It is likely that IPv48 will be deployed long before DNSSEC is implemented.


More information about the NANOG mailing list