> >> This proposal actually reminds me a lot of idea I had that actually > >> used DS records instead of new record type. > >> > >> AFAIK: > >> - DNSsec ignores any such record (unknown algorithm) > >> -> No interference with DNSsec. > >> - CDS does not ignore such records. > >> -> Automated synchnonization. > >> - Lives on parent side of delegation. > >> -> No post-hoc authentication.
There's a problem with CDS and unknown algorithms. RFC 7344 section 4.1 third bullet requires the parent to verify that the delegation will not be broken by new DS RRset. This means the parent needs to check that it is able to validate every algorithm, otherwise it could open up a downgrade attack. Note that this validation is not just checking that the DS records have matching DNSKEY records; the parent must also validate that at least one matching key has signed the DNSKEY RRset (because that's what normal validators will need to be able to do). So unknown algorithm hacks will not work with CDS as things currently are. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Great Orme Head to the Mull of Galloway: Variable 3 or 4, becoming southwest 4 or 5. Smooth or slight. Fair. Good. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy