Tony Finch <[email protected]> wrote: > > I think signalling in the hostname has to be a hint rather than an > assertion, since it's vulnerable to a downgrade attack because delegation > NS records are unsigned (as Robert pointed out).
Downgrade seems to be an issue with all proposals. To solve them, there may need to be something signed by the parent as part of the delegation data. One option is to create a hash over the NS record set and place it in the parent zone in the same way as the DS record. This could either be a new record type or, devious but possibly deployable right now, (ab)use the DS record for the purpose with a new algorithm type. Kind regards, Martin _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
