I'm supportive of doing this in other ways, but also understand that DNSSEC is not widely deployed. I suppose that's ultimately a crutch, though it is the current situation. With that being said, we thought this would be one reasonable approach to being able to show that relationship. We could potentially have a non-DNSSEC and DNSSEC method in the same draft, if that's something that might be agreeable?
-- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast -----Original Message----- From: dbound <[email protected]> On Behalf Of Paul Wouters Sent: Wednesday, February 27, 2019 9:25 AM To: Brotman, Alexander <[email protected]> Cc: [email protected]; [email protected]; Stephen Farrell <[email protected]>; [email protected] Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft On Mon, 25 Feb 2019, Brotman, Alexander wrote: > Stephen and I have spent a bit of time working on a draft to be able to show > a relationship between two domains. We're aware this subject has been > covered a few times previously, especially in the DBOUND drafts, but we're > hopeful that a more simple approach might be more acceptable. The secondary > domain will create a DNS record that shows a link to a primary domain, and > the text should be able to be validated using the public key in a DNS record > the primary domain shares. This is something akin to DKIM, a mechanism that > the email world uses to ensure the contents of a message have not been > tampered with. > > https://datatracker.ietf.org/doc/draft-brotman-rdbd/ I've read the draft, and I have my usual complaints. If we put stuff into the DNS for security decisions, saying "its better if you use this data when it is DNSSEC signed" is just too weak. We are splashing TOFU everywhere and putting CT bandaids on it. It's long overdue that we stop with that. Just require DNSSEC. And if you require DNSSEC validation, then the solution becomes much simpler and could be encoded in a single bit, see: https://tools.ietf.org/html/draft-pwouters-powerbind Paul _______________________________________________ dbound mailing list [email protected] https://www.ietf.org/mailman/listinfo/dbound _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
