> On 7 Oct 2022, at 17:21, Paul Wouters <p...@nohats.ca> wrote:
>
> On Fri, 7 Oct 2022, Paul Hoffman wrote:
>
>> On Monday, I'll do a new draft with:
>>
>> What we today call "DNSSEC" is the DNSSEC specification defined in
>> {{RFC4033}}, {{RFC4034}}, and {{RFC4035}}.
>> However, earlier incarnations of DNSSEC were thinly deployed and
>> significantly less
>> visible than the current DNSSEC specification.
>
> "s/and significantly less visible than the current DNSSEC specification/was
> never deployed beyond early adopter testing domains
> as it had no method of linking parent and child zones securely"
The last (added) part is not correct. RFC2535 had a way of linking parent and
child zones securely (chaining, see RFC2535 6.3). It was suboptimal, and an
effort was initiated by NLNetLabs (Ted, Jaap, Miek at the time) to get “sig at
parent” instead of “sig at child” (see [1]). This eventually lead to the
creation of the DS record and the concept of zone- and key signing keys.
Jakob Schlyter (Jakob’s Bug [2]) discovered that validating resolvers that read
NXT record containing a DS bit, but not the KEY bit would treat delegations as
not secure, despite the DS record being present, making the DS concept
incompatible with RFC2535. This is why NXT SIG and KEY became NSEC, RRSIG and
DNSKEY.
> Wording could be changed, but the point is, it could never be
> "production deployments" as it required hardcoded keys to build
> a path of trust.
>
> Perhaps even:
>
> DNSSEC documents predating {{RFC4033}}, {{RFC4034}}, and {{RFC4035}}
> specify obsoleted DNS RRtypes that never saw deployment beyond early
> adopter testing, and haven't been deployed in nearly two decades,
> and are of no concern to implementers.
This is not correct. SIG and KEY have not been obsoleted and have been in use
for SIG(0). But I digress.
Perhaps:
What we refer to as "DNSSEC" is the third iteration of the DNSSEC
specification; [RFC2065] being the first, [RFC2535] being the second. Earlier
iterations have not been deployed on a significant scale. Throughout this
document, "DNSSEC" means the protocol initially defined in [RFC4033],
[RFC4034], and [RFC4035].
Roy
>
> Paul
[1] https://mailarchive.ietf.org/arch/msg/dnsop/vD7AkG24k-_0YRaJdWCAYPvkI4M/
[2] https://www.dfn-cert.de/dokumente/workshop/2005/dfncert-ws2005-f7paper.pdf
See 2.1.3
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
