Validating glue information before using it
The NS and address records given on delegation are not signed (except in special cases where that's possible). There's still some slight risk of attacking that place. For on-path attackers that gives no advantage (as far as I know), for off-path attackers we have the shared protection via randomization of query ID + port + qname case (= 30–40 bits of entropy usually).
If an attacker manages to change glue to IPs they control, they basically get elevated to an on-path attacker, i.e. they can:
- observe all queries,
- easily extend the attack to whole subtree,
- arbitrarily change the legitimately unsigned parts,
- reliably DoS any chosen signed parts.
Most of this could be mitigated by first using glue to validate itself and only using it for real queries after that. With parallel queries this seems realistic, as fetching the NS and addresses could be done all at once with fetching the zone's DNSKEY, so probably not add any latency in usual setting. Before that I'd expect a few RTT slow-down for each uncached zone cut, i.e. way too much.