Hello, please find below revision -01 of our proposal for enabling DoT from resolver to authoritative.
New in this revision: * a lot of clarifying text without changing the underlying protocol * the DNSKEY flags field is now specified to be 257 instead of 0. We know that this goes against the explicit wishes of some of those who commented on -00, but we argue in the document that because our algo TBD will have 'Zone Signing=N' in the IANA DNSKEY algo registry, the flags do not mean 'ZONE' and 'SEP'. The value 257, meanwhile, is believed to go down with registries much easier. * we added a 'Design considerations' section that explains how this protocol came to be, and why we did not go the TLSA route. You can click through to it directly via https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-01#section-9 Furthermore, we have tried to do a review of this protocol against the requirements of the DPRIVE phase 2 document. You can find this review (which might be updated outside of revisions of this draft or the phase 2 draft) via https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin/yardsticks We'll be presenting the draft at the IETF108 dprive session. Kind regards, Manu, Robin & Peter -------- Forwarded Message -------- From: [email protected] To: Robin Geuze <[email protected]>, Peter van Dijk < [email protected]>, Emmanuel Bretelle <[email protected]> Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds- dot-signal-and-pin-01.txt Date: Mon, 13 Jul 2020 01:47:10 -0700 A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-01.txt has been successfully submitted by Peter van Dijk and posted to the IETF repository. Name: draft-vandijk-dprive-ds-dot-signal-and-pin Revision: 01 Title: Signalling Authoritative DoT support in DS records, with key pinning Document date: 2020-07-13 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/internet-drafts/draft-vandijk-dprive-ds-dot-signal-and-pin-01.txt Status: https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ Htmlized: https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-vandijk-dprive-ds-dot-signal-and-pin Diff: https://www.ietf.org/rfcdiff?url2=draft-vandijk-dprive-ds-dot-signal-and-pin-01 Abstract: This document specifies a way to signal the usage of DoT, and the pinned keys for that DoT usage, in authoritative servers. This signal lives on the parent side of delegations, in DS records. To ensure easy deployment, the signal is defined in terms of (C)DNSKEY. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
