On Wed, 2021-09-15 at 17:18 -0400, Ben Schwartz wrote: > > > On Wed, Sep 15, 2021 at 3:37 PM Paul Wouters <[email protected]> wrote: > > I believe this draft is not the best idea. It basically copies a lot of > > "unsigned" data to turn it into a "signed" copy. The more obvious > > approach would be to just provide a signature over the unsiged data in > > the new DS variant record, which would reduce a lot of complexity. > > That sounds a lot like > https://datatracker.ietf.org/doc/html/draft-dickson-dnsop-ds-hack-00. > > I see two key advantages to the "verbatim" approach used in DS Glue. > > 1. It enables the provisioning of arbitrary RR types, without relying on > support from the parent (and registrar?) for each new RR type.
Yes, but: for all (three?) proposals that are going around for 'using DS to strengthen NS names', deployment would be best with registrar support. Yes, zone owners can upload DS records to match/hash their NSes, but it would be way cooler if the registry emitted those DS records automatically. However, this is not a deployment requirement. > 2. It greatly simplifies the rollover and validation logic. With hashes in > DS, the glue and its hash can be out of sync, so the child zone operator > needs to publish records via a multi-phase commit process, and the resolver > needs to apply a lax validation rule to ignore some unmatched signatures. > Getting the lax validation logic correct, and ensuring that an attacker > cannot remove any glue records without detection, is very difficult. (It > also relies on the parent implementing a very consistent glue policy, e.g. > things might break if the parent starts adding sibling glue.) +1 to this. Getting the data unhashed-but-signed from the parent simplifies so many things. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
