Hello Paul, On Mon, 2020-11-30 at 15:43 +0000, Paul Hoffman wrote: > The more I think about draft-fujiwara-dnsop-delegation-information-signer, > the more I think that it is much more complex than what we are doing now in > DNSSEC, and therefore undesirable.
My feelings are similar but not identical - the conversation already shows that the glue story will be almost impossible to implement. Next to that, I haven't figured out why we'd want to authenticate glue. However, authenticating the delegation NSset fills an obvious gap in various suggested answers to the dprive phase2 question (privacy between resolvers and authoritatives). > If the goal is "a way for a signer in a parent to sign child NS in a way that > does not affect validators that have not been updated (or don't care)", a > significantly easier solution would be a new RRtype (maybe called "CNSRRSIG") > that closely mimics RRSIG but only allows child NS for signing. An aware > signer included the CNSRRSIG in the zone, and an aware authoritative server > includes in in the Authority section when serving child NS records. An aware > resolver can use this, an unware resolver would treat it like any other > unknown RRtype that appears in the Authority section. This makes a ton of sense to me. Compared to DiS, registrar complexity is identical (because the complexity is also hidden in the signer here); signer complexity is potentially lower. The only real complexity change vs. DiS is in the auths, that now need to know to serve CNSRRSIG from the parent side in the additional part of a delegation response. For resolvers, this vs. DiS is again pretty much moot. > There are probably a few other diffs from the RRSIG definition in RFC 403x, > but they should be minor. This might make implementation more likely to be > correct for signers, servers, and resolvers. Yes, this calls for some experiments, but I suspect the outcome will be as you described above - which means no hurdles to incremental rollout. (I am not even convinced this needs to be a new type, vs. reusing RRSIG under the specific semantics you described, but a new type feels cleaner to me.) > Thoughts? +1 ! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
