We have just submitted a draft aimed at increasing the security of the DNSSEC with respect to the power that parental zones have over their children.
The aim of this draft is twofold: 1) Allow zones to publicly commit to being delegation_only zones. The aim here is to counter the argument that the root key and TLD keys are all powerful and under government control, and can therefor never be trusted. 2) Allow the creation of DNSSEC transparency logs With delegation_only zones, we can limit DNSSEC transparency to only log DS and DNSKEY and their proof of non-existenc. While this does not prevent all rogue parental data, it does prevent it for those records that matter (TLSA, SMIMEA, OPENPGPKEY). Please have mercy on our souls, Paul, Frank and Wes A new version of I-D, draft-pwouters-powerbind-00.txt has been successfully submitted by Paul Wouters and posted to the IETF repository. Name: draft-pwouters-powerbind Revision: 00 Title: The Delegation_Only DNSKEY flag Document date: 2018-03-19 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-pwouters-powerbind-00.txt Status: https://datatracker.ietf.org/doc/draft-pwouters-powerbind/ Htmlized: https://tools.ietf.org/html/draft-pwouters-powerbind-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-pwouters-powerbind Abstract: This document introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that the particular zone will never sign zone data across a label. That is, every dot is considered a zone cut and must have its own (signed) delegation. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
