No parent for the root - Githubissues

NLnetLabs / dnsimpl

The sources of dnsimpl.readthedocs.io.

Other

0 stars 0 forks source link

No parent for the root #7

Open paulehoffman opened 1 week ago

paulehoffman commented 1 week ago

source/general-dnssec.rst indicates that there is a parent for the root and/or that there could be a DS for the root. These are not supported by anything in any of the RFCs, and are refuted by things like the trust anchor being a file and not a zone.

Philip-NLnetLabs commented 1 week ago

My reasoning is as follows: a DS record lives in the parent zone. So a query for "IN DS ." should be looked up in the parent zone. To validate any reply we need to know if the parent zone is secure, insecure, bogus, or indeterminate.

My initial assumption is that there is no trust anchor for the parent zone of the root, so the result should be indeterminate. This leads to another problem that a NODATA answer for DS needs to have a SOA record for the zone that is authoritative for DS. This zone obviously does not exist.

So there is only one way out. To assume that the root is actually authoritative for its own DS record.

Feel free to disagree. If you have any text you could contribute that helps the issue of how to validate the answer to "IN DS ." then please let me know, or create a pull request.

It is fine if the document ends up with multiple views on a subject.

paulehoffman commented 1 week ago

My reasoning is as follows: a DS record lives in the parent zone. So a query for "IN DS ." should be looked up in the parent zone.

By definition, there is no parent zone.

My initial assumption is that there is no trust anchor for the parent zone of the root, so the result should be indeterminate.

Trust anchors are not parent zones.

So there is only one way out. To assume that the root is actually authoritative for its own DS record.

The other way out (the one I believe is correct and believe that most people would say is correct) is that there can be no "own DS record" for the root zone.

Feel free to disagree. If you have any text you could contribute that helps the issue of how to validate the answer to "IN DS ." then please let me know, or create a pull request.

The valid answer for "IN DS ." is

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2413
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Philip-NLnetLabs commented 1 week ago

If you can find any basis in the RFC that this is the correct answer, then I'm happy to include it.

I never said that a trust anchor is a parent zone. I said that in my reading of the RFCs, The root zone is considered authoritative for the DS record of the root zone. From that it follows that NOERROR/NODATA can be proven using an NSEC record for the apex of the root zone.