[dns-wg] DNSSEC trust anchors for unsigned zones

On Wed, 30 Jan 2008 11:00:38 +0000, Jim Reid <jim at rfc1035.com> said:

> On Jan 30, 2008, at 10:34, Alexander Gall wrote:
>> The current set of trust anchors distributed by RIPE NCC includes  
>> the domains
>> 
>> disi.nl example.net pwei.net
>> 
>> None of these currently have any DNSSEC resource records (i.e. they
>> are insecure), which effectively brakes those zones for everybody who
>> uses that particular set of trust anchors.

> Doesn't everyone check any third party's trust anchors before  
> configuring them into their secure resolvers?

Actually, I think this is an interesting but tricky question.  Of
course, everybody can eventually decide for themselves, which trust
anchors they want to accept.  However, if somebody you trust (the RIPE
NCC in this case) gives you a list of domains which are supposed to be
secure (which is really what this is all about), you're susceptible to
a downgrade attack when you're willing to drop a trust anchor because
you conclude that DNSSEC is not enabled for a zone from unsigned query
responses that might all be spoofed.

If you want to be really serious about this, you need to check with
the distributor of the trust anchor and accept the zones to be bogus
until things get fixed one way or the other.  That would be pretty
much what would happen if the parent zone was signed (and trusted) and
had a DS record for the zone.

-- 
Alex