Hi Andrew, On 6/24/25 12:20, Andrew McConachie wrote:
Regarding the DNSSEC trust chain, it’s broken with both a zone cut to nowhere and a non-existent name. I guess the point this draft makes is that a signed lame delegation is better than a signed proof of non-existence. Either way the private resolver or private authoritative will have to ‘fake’ some DNSSEC data, because there can never be a ‘real’ signed DS RR in the parent zone.
Only when the child is supposed to be secure. When it's insecure, the parent claiming that its own DNSKEYs are applicable is just wrong. The delegation to nowhere provides a semantically more correct carve-out. Coincidentally, a secure delegation to nowhere allows provisioning a trust anchor for a private zone, which may be desirable in certain organizational settings. I'm not saying this is a reason to have this spec; I'm just listing actual (above) and potential (this) benefits.
I’m still left with the question of: Why is a (signed/unsigned) lame-delegation better than (signed/unsigned) non-existence?
I've tried to answer it above. Cheers, Peter _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
