Please bear with me while I take you on a rollercoaster :-) We introduce our three actors:
DOTPIN: https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ - pin TLS key material in a DS record. Scales badly if one NSset hosts 100k domains, basically preventing you from ever rolling keys. Written in the assumption that software changes at registries are hard, so it only asks them to allow one more DNSKEY Algorithm number. Has great latency properties. TLSA: frequently touted as an ADoT signal/pin mechanism that would not have all the problems DOTPIN has. Makes sense, but requires some inventive thinking because delegation NSsets are not signed. DiS: https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-delegation-information-signer/ - a parent side signature over delegation data (NS records and glue), published as another DS record. Written in the assumption that we can actually change registry software (in this case, specifically, the DNSSEC signer). We give our actors roles in a The Shining/MacGyver fanfic crossover: DiS assumes registry processes can be changed a little. If we trust that they can change more than just a little, the following combination of factors can be proposed: 1. auth operators publish TLSA records for their NSes 2. the registry, while generating zone files, queries for those TLSA records 3. from the found TLSA records, the registry generates DOTPIN DSes 4. the DOTPIN DSes are published alongside the domain owner's NSes, DSes, and perhaps the DiS This offers us: 1. TLSA-based keyrolls from a single 'source of truth' (the auth operator), at low delay (however often the registry re-lookups the TLSA and pushes a zonefile update) 2. a secure shortcut straight through the problematic unsigned nature of delegation NSsets 3. zero additional latency delivery of signal/pinning information to resolvers However: 1. the complex moving parts are now in the registry, instead of in 10-20 pieces of (mostly open source) DNS software 2. as a whole, it's not pretty 3. an operator hosting 100k domains can make the TLD zone file grow by 100k records by publishing one additional (TLSA) record for one of their NSes Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy