On Aug 12, 2020, at 19:50, Vladimír Čunát <[email protected]> wrote: > > >> On 8/12/20 9:50 PM, Paul Wouters wrote: >>> Delegation NS records are not signed, so do we stick -those- (or a hash >>> of the NSset perhaps?) into DS? >> >> I don't think so. The DS is signed, and following that path, it hardly >> matters where the NS records point to. Do you fear that you will receive >> bad NS records from the parent, who will than MITM you by relaying >> DNSSEC payloads from the real authoritative server, and thus losing privacy >> that way? [...] > That parent may not be using a secure transport (e.g. root isn't expected > to), in which case anyone on path may be a MITM. I suppose in that case we > could use the NS to obtain DNSSEC proof for itself, but adding this > half-secure phase would seem to complicate stuff, and you probably don't want > to ask deeper than the apex until MITM is disproven (leaking additional > labels and allowing the MITM to deepen the attack) >
Query minimalisation and unbound’s hardening options for infrastructure records would do this already with today’s software configuration. Paul
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
