Mike Ounsworth <[email protected]> wrote: > I have reviewed the call-for-adoption discussion on-list, and there is > unanimous consensus to adopt, so it is adopted. Authors, please submit a > draft-ietf-acme-dns-persist.
Cool.
> There seems to be less consensus around the urgency and content. On one
> hand, there is desire to align the content and timing with the parallel
> ballots in CA/B F, and the authors note that there is implementation
> intent
There is a ballot there about CAA RR + DNSSEC.
I see dns-persist akin to CAA, yet there is some pushback here about asking
for DNSSEC.
dns-01 does not require DNSSEC, but also has a very limited window of
opportunity.
> As a personal [no-chair-hat] comment, I agree with Ben Kaduk's analysis
> that we need to do a good job on the Security Considerations because
> one-time-use tokens are naturally immune to all sorts of attacks, but in
> moving to a persistent token model, we'll need to consider the attack
> surface introduced by persistent tokens, most of which will come down to
> documenting the risks that operators incur by switching to this model, and
> choosing an appropriate validation reuse period.
Exactly.
I think that there are probably three kinds of attack.
1. attacker inserts new dns-persist token in addition to what might already
be there. (RRSIG prevents this)
2. attacker suppresses existing dns-persist RR (NSEC3 prevents this)
3. attacker replaces RR with their own.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
