On Mon, Mar 19, 2018 at 12:34 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> On Mon, Mar 19, 2018 at 08:22:03AM -0400, > Paul Wouters <p...@nohats.ca> wrote > a message of 57 lines which said: > > > We have just submitted a draft aimed at increasing the security of > > the DNSSEC with respect to the power that parental zones have over > > their children. > > I'm opposed to this idea. > > > While the root and TLD zones are asumed to be almost exclusively > > delegation-only zones, > > This is unrelated. You mix two different things, the administrative > issue and the technical one (every subdomain in its own zone). gouv.fr > is administratively a delegation from .fr but is in the same zone. > > > the root zone operator (or any level higher in the hierarchy than > > the target victim) could briefly remove the NS and DS records, and > > create a "legitimate" DNS entry for "www.example.org" > > If the parent simply pointed the NS and DS records to a different version of the zone, that would accomplish the same effect, even with a 'delegation-only' flag, so the 'delegation-only' flag really does not solve the problem. -- Bob Harold > That's the DNS. It is a tree. Protecting childs against the parent is > a non-goal, or otherwise we should move to some alternative to DNS > (Namecoin is cool). > > > The aim here is to counter the argument that the root key and TLD > > keys are all powerful and under government control, and can therefor > > never be trusted. > > I've read the draft and still can understand nothing in this sentence. > > > 2) Allow the creation of DNSSEC transparency logs > > May be mentioning draft-zhang-trans-ct-dnssec would be nice? > > > The DELEGATION_ONLY flag has a strong overlap in functionality with > > the Public Suffix List as both signal a formal split of authority > > between parent and child. > > May be mentioning the defunct DBOUND working group would be a good > idea? > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop