Problem
The DNSSECValidator.ValidateChain() function (issue #92 fix) validates the full DNSSEC trust chain from leaf zone to trust anchor. However, this function is never called from production code - only from tests.
Current Usage
Production code (server.go:validateDNSSEC) only calls ValidateRRSet() to validate individual RRsets, not ValidateChain().
Root Cause
To call ValidateChain, you would need to:
- Build a chain by walking from leaf zone up to root
- For each zone link, collect: DNSKEYs, DS records from parent, AND RRSIG_DS records
- Make network fetches for DNSKEYs at each level
This chain-building logic was never implemented in the DNSSEC MVP.
Implication
Issue #92 fix is correct and useful, but ValidateChain won't be exercised until chain validation is wired up in production. The fix ensures:
- The validator logic is correct when eventually used
- Tests properly verify the RRSIG_DS verification behavior
Potential Solution Options
- Wire up chain validation - Implement the chain-building logic in
validateDNSSEC or a new method to walk the trust chain
- Document as incomplete - Mark the ADR 0008 limitation tracking this as future work
- Both - Wire it up and update documentation
References
Problem
The
DNSSECValidator.ValidateChain()function (issue #92 fix) validates the full DNSSEC trust chain from leaf zone to trust anchor. However, this function is never called from production code - only from tests.Current Usage
Production code (
server.go:validateDNSSEC) only callsValidateRRSet()to validate individual RRsets, notValidateChain().Root Cause
To call
ValidateChain, you would need to:This chain-building logic was never implemented in the DNSSEC MVP.
Implication
Issue #92 fix is correct and useful, but
ValidateChainwon't be exercised until chain validation is wired up in production. The fix ensures:Potential Solution Options
validateDNSSECor a new method to walk the trust chainReferences