On Fri, Sep 28, 2018 at 9:09 AM Paul Hoffman <[email protected]> wrote:
> On 28 Sep 2018, at 8:32, manu tman wrote: > > > I have been thinking of a way to authenticate DoT servers for delegations > > that cannot be validated using DANE as describe in Stephane’s draft > > https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01 > > > > The idea is to leverage both DNSSEC and SPKI to authenticate a zone but > by > > relying on the parent to validate the public key. I have documented it at > > > > > https://datatracker.ietf.org/doc/draft-bretelle-dprive-dot-for-insecure-delegations/ > > > > Feedback is welcomed. Thanks > Thanks Paul, > > This approach (putting the SPKI in the parent) seems fine, as long as the > parent is signed. If I read it correctly, it would not work securely if the > parent is not signed, correct? > Correct, this should only works if the parent is able to sign its records and can be validated, which is what I tried to convey in the document, but I guess would need to be clarified based on your feedback. > Also, I disagree with the logic in Section 3.1 on using PKIX. Using PKIX > certificates does not mean using the same CA structure as the web PKI, and > trusting CAs for nameservers could be made a lot better than the current > CABForum rules. > Fair enough. I can take that off, this was mostly illustrative more than anything. Manu > > --Paul Hoffman
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
