Hello, I'm still a bit skeptical. 1. Validation without logging. At the end of 3.1 you claim that mode is still useful. When I focus on intentional attacks, signing a malicious DS seems among the easiest ones, and that can't be detected without the attacked machine doing logging (the DS might be served to specific targets only). Consequently I'm doubtful about implementing and deploying such a "half-secure" approach in validators, especially as the RFC draft feels very hazy about the way logging might be done.
2. Amount of logging. The draft implies it would allow to very significantly decrease the amount of data that needs to be logged. Zones without the bit perhaps won't be logged, but I hope that wasn't a significant point. The draft doesn't explicitly say what would be logged; my conclusion for zones using this bit is that "we" would need basically any authoritative (i.e. signed) data except for NSEC* records that have DS bit and miss opt-out bit. Am I missing something? As for large TLD zones, even in best currently practical case the reduction seems by less than a half? (missing DS bits in about half delegations) I expect that the whole trust chains to the logged records are also needed, so that the logger can prove they haven't forged the records. --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
