On Fri, 2020-05-29 at 11:25 -0400, Paul Wouters wrote: > On Fri, 29 May 2020, Peter van Dijk wrote: > > > On Wed, 2020-05-27 at 21:27 -0400, Paul Wouters wrote: > > > It would make everything a LOT cleaner and we got no bogus > > > DNSKEY records to ignore in our DNSSEC validation path. > > > > What bogus DNSKEY records? > > It really all depends on what registry systems you want to support.
Right! Preferably as many as possible - that's why the process in the draft looks more convoluted than would be desirable. Note that the DNSSEC validation paths in existing resolvers already ignore DNSKEYs for algos they do not support. > We have some combo's: Thanks, I'm going to go through them one by one just in case you spotted any interesting edge cases. > - Takes any DS --> give our DS with DoT info embedded Right, easy. > - Takes DS, but verifies it is a real DNSKEY at the child --> we create bogus > DNSKEY matching our DS request I am hoping, also for 'normal' DNSSEC reasons (like key rolls) that no registry does this. > - Takes any CDS --> Put our info in zone as CDS Yes. > - Takes CDS, but verifies it is a real DNSKEY at the child --> we create > bogus DNSKEY matching our CDS request Hopefully as above. > - Takes DNSKEY, only does syntax checks ---> we dont need to publish anything Yes. > - Takes DNSKEY, verifies it lives in child ---> we create bogus DNSKEY Hopefully as above. > - Takes DNSKEY, but verifies it is a supported algorithm --> we have to > convince them to support our pseudo alg Yes, and, we found out and will put in -01: to allow 'weird' flags for at least that algo. (Incidentally you might one day run into the same question with DELEGATION_ONLY, although a zone delegated from a registry would not be a common place for that flag) > - Takes any CDNSKEY ---> we only need to publish as CDNSKEY, not DNSKEY Yes. > - Takes CDNSKEY but verifies it lives in child as DNSKEY ---> we need to > publish CDNSKEY and bogus DNSKEY Hopefully as above, again :) I'm collecting registry issues at https://github.com/PowerDNS/parent-signals-dot/issues/22 - I hope that list never grows a 'demands visible DNSKEY to go with the DS' entry! > When I say bogus I mean "not a DNSKEY used for DNSSEC validation of DNS data" Understood now. I think 'bogus' might be the worst possible choice of words though ;) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
