On 09-Feb-2024, at 02:03, marka@isc.org wrote:



On 9 Feb 2024, at 03:10, darkdevil@darkdevil.dk wrote:

Den 31-01-2024 kl. 20:47 skrev Bjørn Mork:
Why do they put their DNS servers in an unsigned zone?

To try to make a more in-depth example:

At the moment, .COM/.NET is relying on GTLD-SERVERS.NET for the authoritative DNS.

GTLD-SERVERS.NET is currently relying on NSTLD.COM for the authoritative DNS.

With this example, you are asking why neither GTLD-SERVERS.NET nor NSTLD.COM has been DNSSEC signed?

In that case, I would probably be extending that a bit, considering a lot of critical resources out there (even if announced as IPv6 /48 and IPv4 /24) still do not have any RPKI ROA, at all.

(But maybe that's just me...)

The NS records in a delegation are NOT SIGNED. The glue addresses in a referral are NOT SIGNED.
For taking care of referrals and delegations, ietf has started preliminary work. More info here -

 https://mailarchive.ietf.org/arch/msg/dd/srNtevzS-jrPzMxYv1nATCY5JkM/

Resolvers use those.  They should get back signed answers from signed zones which are verifiable.
If they get back unsigned answers for signed zones they will be rejected.  It they get back unsigned
answers from an unsigned zone then all bets are off.  DNSSEC sign your zones if you are worried
about that.  There is potential for information leakage with this strategy, but not wrong answers
being returned from signed zones.  Signing the zones would help a little with the information
leakage when the servers are not learnt by glue.  It is impossible to prevent all information
leakage even if all zones, delgations and glue was signed.


--
Med venlig hilsen / Kind regards,
Arne Jensen


--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org