If I understand correctly, the encoding could cover any below-the-cut records in the referral response.
For in-bailiwick response, this would be the child NS rrset, glue A/AAAA records, and SVCB records: ;; Authority example.com NS ns1.example.com example.com NS ns2.example.com ;; Additional ns1.example.com A 192.0.2.1 ns1.example.com AAAA 2001:db8::1 ns2.example.com A 192.0.2.2 ns2.example.com AAAA 2001:db8::2 There could be a DS record that contains encoded RDATA: rr_type=NS prefix=<empty> rdata="ns1.example.com" rr_type=NS prefix=<empty> rdata="ns2.example.com" rr_type=A prefix=ns1 rdata="192.0.2.1" rr_type=A prefix=ns2 rdata="192.0.2.2" rr_type=AAAA prefix=ns1 rdata="2001:db8::1" rr_type=AAAA prefix=ns2 rdata="2001:db8::2" rr_type=SVCB prefix=_dns.ns1 rdata="ns1.example.com 1 alpn=dot adox=tlsa" rr_type=SVCB prefix=_dns.ns2 rdata="ns2.example.com 1 alpn=dot adox=pki" (Or maybe leave out the A and AAAA records, but that makes it easier for attackers to trick resolvers into talking to malicious endpoints.) For out-of-bailiwick response, this would be only child NS records. ;; Authority example.com NS ns1.other-example.com example.com NS ns2.other-example.com ;; Additional <empty> There would be a DS record that contains encoded RDATA: rr_type=NS prefix=<empty> rdata="ns1.other-example.com" rr_type=NS prefix=<empty> rdata="ns2.other-example.com" This referral conveys no authenticated SVCB (only authenticated NS names), so encryption-aware recursive resolvers would query for SVCB in parallel with A and AAAA queries for the name servers. On Fri, Jul 30, 2021 at 2:10 PM Paul Hoffman <[email protected]> wrote: > On Jul 30, 2021, at 10:37 AM, Ben Schwartz <[email protected]> wrote: > > > > > > > > On Fri, Jul 30, 2021 at 1:34 PM Paul Hoffman <[email protected]> > wrote: > > I'm confused here. Are you saying that the DS owner name for an > out-of-bailiwick NS would still be the name of that NS? > > > > No, it would be the owner name of that NS record, which is the child > apex. This is also the owner name of the DS record. The name of the NS is > in the RDATA. > > Sorry that I'm being dense. Having some examples with both in-bailiwick > and out-of-bailiwick NSs would be useful (at least to me). > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
