Hi Brian, The proposal aims to authenticate parental NS and glue records by having the parent sign their hash digests, embedded in new types of DS records.
1.) The separation of the data which requires authentication (parental NS + glue records) from the place where authentication is provided can lead to a race condition: What happens if updates do the NS or glue records have been seen and cached by a resolver, but an old DS RRset is cached (or vice versa), so that digests mismatch? How does this interfere with the notion that it is acceptable to cache an RRset until its TTL expires? 2.) Conceptually, the goal of authenticating parental NS and glue records can also be achieved by signing them directly at the parent. In this case, the signature is bound directly to the data, and no race condition occurs. One may object that the parent is not authoritative, but that's merely a legalistic point: If we change the law and declare that the parent *can* sign these records, then authentication of parental NS and glue records would in fact be achieved. Thus my question -- why not pursue this route? 3.) Have any experiments been done to determine whether adding RRSIGs to parental NS and glue records breaks existing deployments? (Pointers welcome.) Best, Peter On 8/12/21 3:15 AM, Brian Dickson wrote:
This is the work I will be submitting in DNSOP. This is what has been described as a “hack”, but provides a needed validation link for authoritative servers where the latter are in signed zones, but where the served zones may not be signed. NB: It overlaps with the recent DPRIVE draft that Ben S submitted recently. It will likely be the case that those overlaps need to be reconciled, based on use cases and scope. I think there are valuable use cases other than privacy, which would make this more appropriate for DNSOP. Comments are welcome. The draft can be found at: https://www.ietf.org/archive/id/draft-dickson-dnsop-ds-hack-00.txt <https://www.ietf.org/archive/id/draft-dickson-dnsop-ds-hack-00.txt> Brian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
-- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
