On Fri, 29 May 2020, Peter van Dijk wrote:
On Wed, 2020-05-27 at 21:27 -0400, Paul Wouters wrote:
It would make everything a LOT cleaner and we got no bogus
DNSKEY records to ignore in our DNSSEC validation path.
What bogus DNSKEY records?
It really all depends on what registry systems you want to support. We
have some combo's:
- Takes any DS --> give our DS with DoT info embedded
- Takes DS, but verifies it is a real DNSKEY at the child --> we create bogus
DNSKEY matching our DS request
- Takes any CDS --> Put our info in zone as CDS
- Takes CDS, but verifies it is a real DNSKEY at the child --> we create bogus DNSKEY matching our CDS request
- Takes DNSKEY, only does syntax checks ---> we dont need to publish anything
- Takes DNSKEY, verifies it lives in child ---> we create bogus DNSKEY
- Takes DNSKEY, but verifies it is a supported algorithm --> we have to
convince them to support our pseudo alg
- Takes any CDNSKEY ---> we only need to publish as CDNSKEY, not DNSKEY
- Takes CDNSKEY but verifies it lives in child as DNSKEY ---> we need to
publish CDNSKEY and bogus DNSKEY
When I say bogus I mean "not a DNSKEY used for DNSSEC validation of DNS data"
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
