Hello,
On 24 Mar 2019, at 18:45, manu tman wrote:
This proposal actually reminds me a lot of idea I had that actually
used DS records instead of new record type.
AFAIK:
- DNSsec ignores any such record (unknown algorithm)
-> No interference with DNSsec.
- CDS does not ignore such records.
-> Automated synchnonization.
- Lives on parent side of delegation.
-> No post-hoc authentication.
I heard this idea twice today, and it sounds interesting.
From what I gather from Paul Wouters is that not all registrars may
accept
unknown algorithms as well as they would validate that the DS is valid
by
checking the presence of the DNSKEY in the child.
This would seem to be the biggest hurdle.
Signalling & anchoring DoT in DS was suggested to me by a friend some
time ago as well. Yesterday, Pieter Lexis and I ran some experiments
with this (before catching up to this thread!).
Looking up weird-ds1.7bits.nl/TXT (weird algorithm) and
weird-ds2.7bits.nl/TXT (weird digest type) should return insecure on
your favourite validator. Google DNS (8.8.8.8) and Knot Resolver
disagree. A Knot resolver has informally confirmed this as a bug. I’m
sure we can convince Google of the same, so on the validator side,
deployment seems feasible.
Registrars/registries are a different problem - but that problem is not
entirely dissimilar from the slow rate of adoption of new algorithms
(ECDSA, Ed25519) that we’ve seen in some registries. It is also a
problem that can, over time, be fixed.
Personally I like the DS signalling idea a lot, but I do see the
‘cloud provider’ problem angle.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy