Hello everyone, my impression from yesterday is that authors of Powerbind draft assume that everyone else has an idea how DNSSEC Transparency should be implemented, and this makes discussion much harder because IMHO this assumption does not hold.
Could authors elaborate on proposed DNSSEC Transparency mechanism, so we can get better idea what role Powerbind has? Do you refer to https://tools.ietf.org/html/draft-zhang-trans-ct-dnssec-03 or some other document? Or are you talking about different idea? Having said that, Powerbind *seems* to be useful and cheap addition, but at the moment I do not have enough information to be sure. Petr Špaček @ CZ.NIC On 14. 04. 20 18:07, Ben Schwartz wrote: > If I understand correctly, the Powerbind draft is designed to reduce the > amount of data that must be logged in order to verify appropriate use of a > DNSKEY "K" for a delegation-only zone. I'm trying to compare the amount of > logging required with and without Powerbind. > > Here's my current best guess: > - With Powerbind, we need to log all DS records (to detect replacement) and > NSEC and NSEC3 records (to detect repudiation) that are signed by K, along > with their RRSIGs. Resolvers would reject any other records signed by K. > - Without Powerbind, we need to log any record signed by K that is not on the > apex, along with its RRSIG. > > But for a delegation-only zone, aren't these the same set? What else would a > delegation-only zone be signing beyond the apex, other than DS, NSEC, and > NSEC3? > > Thanks, > Ben Schwartz > > P.S. Hostile zones can spam the log either way, so that problem is out of > scope. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
