On Dec 10, 2020, at 4:35 PM, Joe Abley <jab...@hopcount.ca> wrote: > > On Dec 10, 2020, at 19:25, Paul Hoffman <paul.hoff...@icann.org> wrote: > >> In DPRIVE, there is a desire to TLSA records to authenticate authoritative >> servers. In order to do that without getting into a chicken-and-egg loop, >> the parent needs to authenticate the NS records of the child authoritative >> server. > > I haven't been following dprive recently. Is there a particular document that > expresses the problem statement above in more detail?
No. As you know, DPRIVE is not strong on use case documents... > "Authenticate authoritative servers" is a bit vague for me. Parent and child > are namespace concepts and not relying parties that you'd ordinarily expect > to be able to authenticate anything. A resolver asks a parent what the NS records are for the child. Today, an on-path attacker can change the answer and the resolver would not be the wiser, so the resolvers cannot trust such answers to do things like look up TLSA records. There is a desire for resolvers to be sure that what the child NS records they receive from the parent is what the parent has in its zone for the child so they can use this information to ask for TLSA records. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
