On Wed, 30 Jan 2008 11:00:38 +0000, Jim Reid <jim@rfc1035.com> said:
On Jan 30, 2008, at 10:34, Alexander Gall wrote:
The current set of trust anchors distributed by RIPE NCC includes the domains
disi.nl example.net pwei.net
None of these currently have any DNSSEC resource records (i.e. they are insecure), which effectively brakes those zones for everybody who uses that particular set of trust anchors.
Doesn't everyone check any third party's trust anchors before configuring them into their secure resolvers?
Actually, I think this is an interesting but tricky question. Of course, everybody can eventually decide for themselves, which trust anchors they want to accept. However, if somebody you trust (the RIPE NCC in this case) gives you a list of domains which are supposed to be secure (which is really what this is all about), you're susceptible to a downgrade attack when you're willing to drop a trust anchor because you conclude that DNSSEC is not enabled for a zone from unsigned query responses that might all be spoofed. If you want to be really serious about this, you need to check with the distributor of the trust anchor and accept the zones to be bogus until things get fixed one way or the other. That would be pretty much what would happen if the parent zone was signed (and trusted) and had a DS record for the zone. -- Alex