On Fri, 11 Jun 2021, Paul Hoffman wrote:
A nationstate could add unsigned NS glue to their zone for domains they
are interested in and trigger people('s resolvers) to go to "their"
secure transport IP and do logging.
This is a problem with unsigned NS, not unsigned labels in the name.
Whereever the unsigned data at the parent is, that does not matter. It
could be the imaginary SVCB record at the parent. The problem is that
a nationstate can just add them to their TLD glue, and the child cannot
opt out of resolvers following the path from root to TLD to TLD's
resolver.
If you use DS, they would at least have to sign for it _and_ you can
verify the DS via CDS so now such a parent would have to do a lot more
and leave cryptogrpahic evidence of their efforts.
Is your proposal "DS in parent and matching DNSKEY in the child"?
DS in parent and matching CDS in child. No need to pollute the child's
DNSKEY RRset and complicate validation.
We had several proposals written up. I don't think at this point we need
more or updated draft text.
What you gave in your eariler is not sufficient for useful analysis, thus not
for comparison. See my question above, for example.
We had a long discussion with Peter van Dijk's proposal on what to
encode in the DS or not. Eg do we add pubkey or not. Please read
the archive. If we reach agreement on what to encode and how to encode
it, it can be written as draft. Maybe even as update to Peter's draft.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
