That sounds quite painful for servers that serve hundreds or
thousands of zones.
I think this will work for NS with names in the zone. Still scratching my
head about NS in other zones.
On a referral, the parent server sends TLSA records as glue along with
the NS and DS in the referral. The client connects to the one of those NS
and checks the cert with TLSA. It then retrieves the signed NS and TLSA
from the child to ensure that they match the unsigned ones from the
parent. To resist downgrades, if a client gets a referral without a TLSA
but finds a TLSA in the child zone, it (wave hands a little) complains and
reconnects using TLS.
I don't think that leaks anything beyond what you can tell from the fact
that it's making connections to port 853. It doesn't leak what name is
being referred.
The bad news is that authoritative servers have to be adjusted to send
TLSA as glue, and registry provisioning systems have to handle TLSA glue
as well as A and AAAA.
For NS with names out of the zones, I guess the client looks for a TLSA
when it looks for A and AAAA.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
