Hello dnsop. Let me start a simple thought experiment - attacking the planned scheme. It feels like I'm missing some part of the defense.
A .evil registry is using the DELEGATION_ONLY flag. They additionally sign a different victim.evil DS set, say adding hash of a DNSKEY they generated themselves. Now they could serve it e.g. to specific targets, allowing .evil to control contents of the victim.evil subtree as seen by those targets. The defense against this will be logging! So this DS set along with its proof chain should get logged by some of the targets. So far it's been clear. But now... how do we know that this fake victim.evil DS set was not submitted by the registrant? I assume every registrant is supposed to watch the logs from everyone for such fakes? Sounds OK-ish, so if they do find an incorrect set, they know that the registry is "bad" (intentionally or not), but how can they prove *to anyone else* that they did not submit it to the registry? Without that ability I'd still feel quite powerless as a registrant, and I currently can't see a nice way of solving that. It would be nice if there was a way we could get the ability in future (for reasonable costs). - - - I do support the aims of the draft, but so far the plan doesn't make me feel safer, and deploying *all* the necessary parts doesn't seem very easy either. I'm sorry if I've missed something. Well, *my* trust isn't really important here, so if dnsop thinks the approach will increase trust of some more important parties... --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop