On 1.11.2017 12:11, Edward Lewis wrote: > On 10/31/17, 20:50, "DNSOP on behalf of Mark Andrews" <dnsop-boun...@ietf.org > on behalf of ma...@isc.org> wrote: > >> Secondly doing deepest match on trust anchors is the only secure way to >> prevent a parent overriding the child zone's security policy.
Even though Knot Resolver implements "use any" (DS or trust anchor, whichever matches), I think we should move to "deepest match on trust anchors", i.e. I agree with Mark. "Use any" strategy is insecure and will surprise people, as ilustrated by reaction from Edward quoted below: > By this, do you mean choice of cryptographic algorithm and/or length? > To achieve "independence" in this way, the child can simply refuse to > have a DS record at the parent and then lean on managing trust anchors > at all relying resolvers. With current implementation of "use any" nothing prevents the parent from publishing a DS and thus hijacking the domain without clients noticing even if there was a local TA installed for given subdomain on clients. For this reason I propose to document that "deepest match" is mandated behavior. -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop