On 9 Feb 2024, at 03:10, darkdevil@darkdevil.dk wrote:
Den 31-01-2024 kl. 20:47 skrev Bjørn Mork:
Why do they put their DNS servers in an unsigned zone?
To try to make a more in-depth example:
At the moment, .COM/.NET is relying on GTLD-SERVERS.NET for the authoritative DNS.
GTLD-SERVERS.NET is currently relying on NSTLD.COM for the authoritative DNS.
With this example, you are asking why neither GTLD-SERVERS.NET nor NSTLD.COM has been DNSSEC signed?
In that case, I would probably be extending that a bit, considering a lot of critical resources out there (even if announced as IPv6 /48 and IPv4 /24) still do not have any RPKI ROA, at all.
(But maybe that's just me...)
The NS records in a delegation are NOT SIGNED. The glue addresses in a referral are NOT SIGNED. Resolvers use those. They should get back signed answers from signed zones which are verifiable. If they get back unsigned answers for signed zones they will be rejected. It they get back unsigned answers from an unsigned zone then all bets are off. DNSSEC sign your zones if you are worried about that. There is potential for information leakage with this strategy, but not wrong answers being returned from signed zones. Signing the zones would help a little with the information leakage when the servers are not learnt by glue. It is impossible to prevent all information leakage even if all zones, delgations and glue was signed.
-- Med venlig hilsen / Kind regards, Arne Jensen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org