Re: [DNSOP] DNSSEC validation latency

[Tony Finch <dot@dotat.at>]

✅ Roy Arends <roy@dnss.ec> wrote:
>
> > So in the trace above, step (4) is redundant: the resolver already
> > received the DS in step (1).
>
> In this case, yes. However, this is not consistent across all delegation
> points. As an example, UK and ORG.UK are hosted from the same set of
> servers. When asked about, say, nominet.org.uk, these servers will
> happily refer to the proper nameservers, including a DS record for
> nominet.org.uk. However, the validating resolver needs to explicitly ask
> for the org.uk DS record, since it will not show up in any delegation
> response.

Happily, unless there is more than one intermediate zone cut, the resolver
can get the missing DS and DNSKEY RRs in the same round trip it uses to
follow the referral.

But yes, that is a good example of a situation where you have to do
at least a little upwards validation.

> > Furthermore, the presence of the DS in the referral tells the resolver
> > that it will need the DNSKEY RRset in order to validate the answer, so it
> > should send queries (2) and (3) concurrently.
>
> Not necessarily. www.cam.ac.uk might be an unsigned delegation from the
> signed cam.ac.uk, so this might be followed by another query (for the
> www.cam.ac.uk record from the www.cam.ac.uk name servers).

Right, but having got the referral at www.cam.ac.uk and the cam.ac.uk
DNSKEY RRset, we are in the same situation as in my original example, but
one level further down the hierarchy.

> If that succeeds, only then validation makes sense.

Why? Why not validate the chain of referrals as you follow them? The
protocol is designed to support that otherwise it would not include the DS
in the referral.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.