[Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Anders Kaseorg andersk at mit.edu
Fri Oct 3 17:35:08 EDT 2014


On Fri, 3 Oct 2014, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said:
> > This bottom-up algorithm also seems to have a security problem that’s 
> > just as bad as one with the top-down algorithm that you rejected 
> > below.  Consider the same department.campus.university.edu example, 
> > where campus and edu are signed zones, and university is not a zone.
> 
> This issue is why trust anchors were devised so people could start 
> deploying DNSSEC before stuff like .COM got signed.

No, you’re misreading.  Trust anchors address the case where 
campus.university.edu is a signed zone and university.edu is an unzigned 
zone.  We’re talking about the case where university.edu is not a zone at 
all, so that campus.university.edu is served directly from the edu zone.

Obviously this won’t happen at the real edu zone, but real examples exist: 
env.state.ma.us, state.ma.us, us are signed zones, and ma.us is not a 
zone.

Anders



More information about the Cerowrt-devel mailing list