On Thu, 12 Aug 2021, Olafur Gudmundsson wrote:
IMHO the ONLY benefit of it is to encourage DS record overloading with random data that has no DNSSEC relevance, leading to abuse that threatens to turn the DS record into the new TXT overloading record resulting in large DS sets.
Not the only one, as you point out below. It is also useful for "vanity algorithms" :)
The DS record is a unique record that it lives only at the parent side of delegation, when DNS was defined no such records were envisioned, if more are needed this working should take up a new work item to define a sub-set of the RRtype number space as Parent side-only to have a proper debate on the topic.
This would have been excellent to do when we did DS. It would still be good to do this now, I agree. But it would be too late for some of the things discussed now. If people insist that we need a parent side "encrypted transport" indicator, that can be deployed next week, then the options are DS or NS. By blocking DS use, we are just going to get a less secure version stuffed in NS. So why I agree in principle with you, I disagree in practise.
Further more this draft makes it trivial for vanity algorithms to be added to the DS and DNSKEY registries threatening the depletion of the small number space.
It seems inevitable that we will see a few of these, whether we like it or not. The alternative is that DNSSEC as a whole is disregarded by some nation states. We don't want those ciphers to go through Standard Track all the time. So the policy change to me seems reasonable.
There is a big difference between registration and deployment, only algorithms that the IETF thinks have a benefit to the whole community and have a expectation of wide deployment should be registered.
In an ideal world yes. In reality we can't stop some of this from happening.
Those of us who have fought the battles to get new algorithms rolled out and supported by large fraction of the internet can attest that increasing the number of supported algorithms is a no-win battle as it may lead to fragmented validation on the internet, forcing zones to sign with multiple algorithms ==> increasing packet size for no good reason.
The "no good reason" is the subjective part of course :)
Getting DS records into parents at TLD level is hard, CDS/CDNSKEY are supposed to make that easier but uptake has been slow due resistance by industry and any overloading of the DS record may derail it.
This is a real concern. I personally do not have the knowledge to say how much they might derail things or not. Again, it is more of a TLD policy item then a technical issue. From a technical point of view, the parent doing a "dumb copy" would be best. But then comes the lawyers. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
