Potential DELEG-only NXDOMAIN replay attack against old validators

[RoyArends]

This is minor, but just wanted to put it out there.

When only a DELEG and Authenticated Denial record exist at a delegation point, and no NS and DS, then a referral response can be replayed as an NXDOMAIN response to legacy validators. However, legacy resolvers can't use this referral anyway, due to the absence of NS records. Ergo, it is highly unlikely that NS records will ever go away.

[bemasc]

This does create an interesting wrinkle: when you receive a DELEG response, it's not enough to confirm that it has a valid DNSSEC signature that chains to the root. It must specifically have the parent's signature. The child could also produce signed DELEG records, but these are not valid. In particular, an attacker could replay a signed NODATA response from the child to disable DELEG resolution, and the resolver must be able to reject this because its RRSIG comes from the child side.

[RoyArends]

For DS, this is addressed in RFC6840 Section 4.1

I know it is not the exact same issue. I think if we just specify that the signer field MUST be shorter than the owner name of the DELEG RR, we're there.

[pspacek]

I agree, this is a known problem in the existing DNS protocol and the same solutions can be applied here. Again, this should apply to all new parent-side types (https://www.ietf.org/archive/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt)