I have been wondering if root zone and TLDs are required to sign the NS glue records for their child zone since these TLDs are required to sign the DS records of their child zones. The answer is negative. Current release of DNSSEC specifications do not require such signing as TLDs are not authoritative for their child zone glue records. Whatever submitted will be accepted and stored without question. Just give a live example. If I get abc.com and the glue reccords say ns1.abc.com is at 1.2.3.4. Verisign, the operator of .com TLD will never ask me to prove this information.
Sounds pretty reasonable. Will there be any risk due to no signing of NS glue records for child zones. Hackers will know after some time.
No comments:
Post a Comment