> On Mar 17, 2017, at 2:20 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
>
>> Is this because you're worried about the parent removing evidence of DNSSEC
>> for the child in the spoofing scenario?
>
> No, this is because the parent can spoof any data for the child. It is
> unrelated to DNSSEC.
With qname minimization, the parent will first need to deny an NS
RRset for the child, and those DOE records are better candidates
for logging than routine non-NS queries. So logging can be limited
to NS/DS queries, but that still leaves us with the problem of how
to avoid logging non-existence of NS/DS for all the sundry leaf
nodes. The public suffix list might be a useful resource here...
--
Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
