Thanks Ilari,
> This proposal actually reminds me a lot of idea I had that actually > used DS records instead of new record type. > > AFAIK: > - DNSsec ignores any such record (unknown algorithm) > -> No interference with DNSsec. > - CDS does not ignore such records. > -> Automated synchnonization. > - Lives on parent side of delegation. > -> No post-hoc authentication. > > I heard this idea twice today, and it sounds interesting. >From what I gather from Paul Wouters is that not all registrars may accept unknown algorithms as well as they would validate that the DS is valid by checking the presence of the DNSKEY in the child. This would seem to be the biggest hurdle. > The problem that idea ran into was actually the same: If DNS is > outsourced to some external provoder (which is actually very > common), then key rotations need two parties to coordinate, which > is a nasty problem. > If CDS works, then it should be fine right? > > And then there is issue that not all nameservers for zone might have > DoT support, and in that case, one would have to discover which ones > do. And NS records might not be signed, so one can not rely on those. > yeah, this would be a problem, even more if using multiple providers. On the other hand, the NS selection heuristic should probably prefer a DoT nameserver over one that does not support it when possible. > > The unreliability of NS pretty much means that unless all nameservers > support DoT, one has to duplicate nameservers into signed records. And > that might be multiple repetitions, which are not compressable, since > DS is not magic that way (even if it is magic due to where it lives). > Also, writing the nameserver name into DS record is not exactly > pleasant (as the field is hex-encoded). > Yeah, NS is very much all or nothing and does not allow for ramping up nameservers individually. > > One hack upon hack would be to have second key type be indirect > reference, which would then be looked up using new RRtype at the > target name. This would allow "cloud" case to work without annoying > coordination problems. > I am not sure I am fully grasping this fully. Mind sharing a bit more? Thanks Manu > > > > > > -Ilari >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
