Answering two for the price of one... On 27/02/2019 17:26, John R. Levine wrote:>> new signatures), I myself only copped on that this could >> be of some use where the primary has DNSSEC but where the >> secondary doesn't, which is maybe interesting. > > In that case, the primary can just publish pointers to the secondaries, > and we're done. > > The DKIM-like signatures have an odd model where the primary has enough > control over its DNS to publish the validation key, and enough to give > the secondaries signed records for their names they can publish that > point back to that key, but not enough just to publish the secondaries' > names directly. I don't get it.
That could work, but'd mean the primary having to store all the records and an extra lookup if even if you had the public key cached. I believe the former could be an issue if there are many secondaries, at least according to one chat I had with someone involved with many domains (which I'm not). I think the design in our -00 is a bit better than that, but not hugely better and it's ok we can disagree about it - if this goes somewhere there'll be plenty of time to thrash it out as we go. On 27/02/2019 18:38, Ted Lemon wrote: > On Feb 27, 2019, at 10:57 AM, Stephen Farrell > <[email protected]> wrote: >> Yep. After both domains have DNSSEC, then this could all be >> simpler. Before they do, there may be value in the sigs though see >> John's simplification suggestion at [1]. > > If they don’t have DNSSEC, what’s the point of saying the domains > are related anyway? What are the security properties of such an > assertion when the content of the zones can’t be validated? The point of making the assertion would be in the eye of the beholder. The level of confidence one might have in such an assertion (without DNSSEC) should of course be lower. But we do work without DNSSEC for almost everything today so I'm not convinced "no DNSSEC" => can't be done here. (And again, the use-cases we've discussed are not high-security ones.) FWIW, I am a fan of DNSSEC, deploy it for domains I control, and do consider that despite it's gnarliness it provides real benefits. But I don't believe we can seriously require it as a pre-requisite for almost anything today, and nor do I believe that our proposal, if it goes ahead would by itself cause people to deploy DNSSEC. So ISTM that making DNSSEC a MUST-use isn't the right approach in this case. Cheers, S. > > > > _______________________________________________ art mailing list > [email protected] https://www.ietf.org/mailman/listinfo/art >
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
