On Mon, 19 Mar 2018, Robert Edmonds wrote:
Viktor Dukhovni wrote:
The idea is to log the DNSKEY RRs observed at each zone apex.
Without the proposed flag, one would also have to log denial of
existence which would make the logs much too large.
Can you expand on what you mean by "much too large"? There are already
existing large scale passive DNS systems that log every RRset that they
observe, and on relatively modest amounts of hardware. Is transparency
for DNSSEC really all that less tractable than the "log every RRset"
problem?
Do these large scale passive DNS systems then host the data for (m)any
clients to fully download?
There are also privacy aspects. if you need to audit/log every query,
you are uploading more personal identifiable information. Combined with
TTL=0 or really short RRSIG times, these can become trackers. DNSKEY and
DS records don't come with such short TTLs (or if they would it could
itself be seen as a sign of malicious behavior) so there is much less
of a one to one relationship between those queriers and answers.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
