search

timapril / ns2

Parameterized Nameserver Delegation with NS2 and NS2T
Other
1 stars 0 forks source link

NS2 and NS2T SHOULD be DNSSEC signed #2

Closed timapril closed 4 years ago

timapril commented 4 years ago

When ever authoritative (both in parent and child zones), NS2 and NS2T records should be signed.

jdreed commented 4 years ago

(copying from discussion elsewhere)

I think it's worth touching on recommendations if only one can be signed? (Which I think it usually the parent, since all the major TLDs are signed).

jrlevine commented 4 years ago

In a zone file, only the NS at the apex are signed. The other NS at zone cuts are glue and are not signed. Adding to the confusion, the DS records at the zone cut are signed, and have to match the signed DNSKEY at the child zone apex. I think it would be a problem to have competing authoritative RRSETs for the same rrtype and same name in parent and child. It would be a large change to DNSSEC semantics where currently there is only one source for any signed RRSET. (Multiple servers with the same zone as considered to be the same source.)