On Mon, 25 Feb 2019, Brotman, Alexander wrote:
Stephen and I have spent a bit of time working on a draft to be able to show a
relationship between two domains. We're aware this subject has been covered a
few times previously, especially in the DBOUND drafts, but we're hopeful that a
more simple approach might be more acceptable. The secondary domain will
create a DNS record that shows a link to a primary domain, and the text should
be able to be validated using the public key in a DNS record the primary domain
shares. This is something akin to DKIM, a mechanism that the email world uses
to ensure the contents of a message have not been tampered with.
https://datatracker.ietf.org/doc/draft-brotman-rdbd/
I've read the draft, and I have my usual complaints.
If we put stuff into the DNS for security decisions, saying "its better
if you use this data when it is DNSSEC signed" is just too weak. We are
splashing TOFU everywhere and putting CT bandaids on it. It's long overdue
that we stop with that. Just require DNSSEC.
And if you require DNSSEC validation, then the solution becomes
much simpler and could be encoded in a single bit, see:
https://tools.ietf.org/html/draft-pwouters-powerbind
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
