On Jul 16, 2023, at 15:53, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > > I should perhaps have stated the technical criteria on which I consider > the proposal non-viable. To whit: > > - The proposed protocol lacks all downgrade resistance. > - Without a signed delegation from the parent, the existence of the > zone apex CERT MRs and associated RRSIGs is trivially denied by > an on-path attacker.
Indeed, the lack of a chain of trust via DS records means the CERT and RRSIG records can just be removed from the answers. Encoding the presence somehow in the NS names (aka dnscurve style) also doesn’t help because such an approach requires authenticated connections from the root down and doesn’t work through dns caches. The exact reason why dnscurve was non-viable. And finally as with proposals to replace ipv6 with something better, it would take years for the software to be written and deployed so it questionable whether fragmenting the dns world into two different methods to accomplish the same thing would speed up the security of DNS. Better focus on removing roadblocks that causes people to postpone DNSSEC deployments. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop