[dns-wg] DNSSEC and DHCP

Op ma 22 mei , Joe Abley <[jabley at strandkip.nl](mailto:Op ma 22 mei  , Joe Abley <<a href=)> schreef:

> Op ma 22 mei , Julian Fölsch <[julian.foelsch at agdsn.de](mailto:Op ma 22 mei  , Julian Fölsch <<a href=)> schreef:
>
>> This however had the side effect that child zones that are not signed were no
>> longer resolving so I thought "Lets just sign them. Can't be that hard,
>> right?"
>
> Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong?

Actually, here's a thought -- check that the zone cuts actually exist (that the parent has a delegating NS set, and that the child has apex SOA and NS sets).

If your parent zone and child zones were hosted on the same servers, lack of zone cuts wouldn't matter if they were all unsigned (there's no referral to return, so the lack of a delegation goes unnoticed).

However you need the delegation to be present if you want to signal that the child zone is unsigned.

Just guessing, but I've seen this kind of thing before (and not just in enterprise zones).

Joe

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/dns-wg/attachments/20230522/4d285163/attachment.html>