> On Mar 17, 2017, at 2:20 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> Is this because you're worried about the parent removing evidence of DNSSEC >> for the child in the spoofing scenario? > > No, this is because the parent can spoof any data for the child. It is > unrelated to DNSSEC.
With qname minimization, the parent will first need to deny an NS RRset for the child, and those DOE records are better candidates for logging than routine non-NS queries. So logging can be limited to NS/DS queries, but that still leaves us with the problem of how to avoid logging non-existence of NS/DS for all the sundry leaf nodes. The public suffix list might be a useful resource here... -- Viktor. _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane