On Mon, 4 Nov 2019, Tony Finch wrote:
Subject: Re: [dns-privacy] [Ext] Threat Model
Paul Wouters <[email protected]> wrote:
The right way to do this is a DNSKEY flag, which is protected by the
signed DS at the parent. Similar to draft-powerbind for the
delegation-only domain.
That's per-zone, though, whereas DoT support is per-server.
Maybe that's ideal, but one would expect that a zone only rolls this
out once all their nameservers support it. Otherwise, whether or not
resolvers do DoT to authoritative servers would be an odd game of
russian roulette depending on which NS record was followed, something
that could even be tweaked by an attacker, like by stripping glue from
the ones that did support it.
DS records that somehow encode NS target names in their rdata might
work...
That still leaves too much control at the parent to change it against
the child's wishes. A DNSKEY flag commits the child zone using publication
at its parent without giving the parent a veto.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
