> On 17 Jul 2023, at 05:53, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
>
> On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
>> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
>> dnsop agenda.
>>
>> https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
>>
>> I haven't seen prior discussion of this item on the list, and,
>> personally, rather suspect it unlikely to gain meaningful support from
>> the WG and see adoption.
>>
>> Would it possible to defer discussion of this document to such time as
>> some evidence of support emerges, and in the meantime use the timeslot
>> for more realistically productive proposals?
>
> I should perhaps have stated the technical criteria on which I consider
> the proposal non-viable. To whit:
>
> - The proposed protocol lacks all downgrade resistance.
> - Without a signed delegation from the parent, the existence of the
> zone apex CERT MRs and associated RRSIGs is trivially denied by
> an on-path attacker.
> - This protocol adds failure modes (CERTs and RRSIGs are available,
> but don't match), without adding any security.
>
> Since the point of DNSSEC is to thwart active attacks, and the protocol
> in the proposed draft offers no such protection, I consider it
> non-viable.
>
> There are other substantial issues, but the above is sufficient to stop
> looking for more reasons why this is a dead-end.
>
> --
> Viktor.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
I concur. This is a horribly flawed proposal.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop