[Unbound-users] bug ? atleast a difference in behaviour
Leen Besselink
leen at consolejunkie.net
Sun Sep 6 23:06:42 UTC 2009
Paul Wouters wrote:
> On Sun, 6 Sep 2009, Leen Besselink wrote:
>
>> I'm not a protocol expert, but why would you not trust the toplevel
>> nameserver if DNSSEC isn't enabled ?
>
> The records are "hints". They are published not by the zone owners,
> but by there parents. This is required to void a recursion loop.
> If you need ns1.example.com. to find ns1.example.com. someone else
> will have to tell you. This is what glue records are for.
>
I know this part.
> Since these are "out of zone" records, they are considered hints.
> It's common sense to verify the information at the proper source.
>
The problem I see with that is, the proper source is just as
trustworthy as the parent.
Which is: not much, if any, atleast without something like DNSSEC to
verify something.
If we'd be talking about a CNAME that would something else, when we
were talking about "out of zone" records. But the parent-zone ?
If we can't trust the parent-zone a little, we can't trust the child,
because the parent-zone pointed us to it.
> It's like verifying gossip :)
>
> Paul
>
Not that I want to argue with a DNS-expert, but I'm just surprised
at the answer.
Ooh, darn I think I know now, it's because it's a different domain,
isn't it ?
titan.net or it's parents, other then the root are in no way related
to nmap.org.
I wonder if Bert considers it a bug in 3.1.7 ?
More information about the Unbound-users
mailing list