Re: DNSSEC and Parent SIG in Child zone

[Edward Lewis <lewis@tislabs.com>]

I think the reason why the SIG(KEY) is assumed to be in the child has to do
with reducing the burden on the parent.  (Assumed to be - by the
specification, that is.)  E.g., I did the following queries:

dig @A.ROOT-SERVERS.NET. abc.com ns +norec

and

dig @DNS1.STARWAVE.COM. abc.com ns +norec

You notice that the first returns just two NS records (with a long TTL) and
the latter returns 5 NS records (and a short TTL).  This is okay - the NS
set from the child is more credible (RFC 2181) and "overwrites" the glue at
the parent.

Now, what do we do about the SIG(KEY) and KEY?  How does the above relate?

First, what happens (or what should happen) when I do a query for KEY from
abc.com?  Would the parent (.com) just issue a referral (with the KEY in
the additional section) or issue the straight answer?  What if the
signature doesn't fit in the 512 (or EDNS0 enabled larger size) meesage?

Second, what if I have the NS set for abc.com and want the KEY.  I would
issue the request directly to abc.com.  If the SIG is only at the parent,
how is it received?  There aren't "up" pointers in DNS.  (Consider that
this migh happen lower in the tree, where the parent isn't so well known as
.com.)

I am asking not in jest, but as a part of wondering about the impact of
storing the SIG(KEY) only in the parent.

BTW - do the top level delegators want to be storing the KEY's for all of
the children zone's?  I thought this would be a thing to avoid.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

"It takes years of training to know when to do nothing" - Dogbert

Opinions expressed are property of my evil twin, not my employer.