On Jul 8, 2013, at 3:32 PM, Patrik Fältström <[email protected]> wrote:
> > On 8 jul 2013, at 20:49, "Dickson, Brian" <[email protected]> wrote: > >> However, maybe something like a "PNS" (parent NS) in the child, where the >> child is authoritative for the data, could signal {change | validation} >> (depending on the RRR requirements), would do the trick? > > Might solve some events, but I do not think it solves the most important > situation, that DNS is moved from one DNS provider to another. The old DNS > provider can not be asked to enter NS records for the gaining provider... And > using NS (in reality, as you look for auth servers) to fetch NS data seems to > me be a bit...fishy... ;-) The attack vector against such a situation is very > complicated. And is *precisely* why this document / technique is not trying to "solve" it. CDS is specifically only for rolling your DNSKEY. It is specifically NOT for: establishing trust. recovering from a key compromise. changing operators. changing your NS. a duck. It is designed to be easy to clean, simple and easy to implement. It is designed to solve the "common case" -- there are a whole slew of cases that it simply rules out of scope. This is designed to be the answer to "I feel like I should roll my keys because XXX, but I'm simply too lazy / likely to screw it up with the current interface" -- where XXX is something related to age, some policy, etc, NOT because I wandered into the directory where I store keys and found a file called exploit.php… If I need to move DNS hosting folk, change my NS records, transfer my domain to another registrar, revoke all keys, etc I'll go "old skool" and do the out of band / web dance. We want to make this annoying (probably repetitive) bit easier, ocean boiling is left for later…. [ Please note: I'm currently sitting in a hotel in South Africa, with less than stellar Internet access, and a funny timezone. Replies may be terse and delayed. ] W > > Patrik > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > -- "Let's just say that if complete and utter chaos was lightning, he'd be the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting 'All gods are bastards'." -- Rincewind discussing Twoflower (Terry Pratchett, The Colour of Magic) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
