On Fri, Sep 25, 2020 at 5:36 AM Peter van Dijk <[email protected]> wrote:
> Hello dnsop, > > in this new episode of 'enabling future innovations that we perhaps > cannot even imagine today', please find below a link to a draft > proposing a DS digest type that does no digesting at all. This allows a > zone owner to publish information in the parent zone and have the > parent sign that data on the owner's behalf. > No. Please read all of rfc5507, and in particular section 5, on why this goes against IAB guidance, years of operational and developer experience, and is a horrible, horrible idea. Do not overload (re-use) RRTYPEs, period. Also, beyond the potential use case of having parent-side non-authoritative data DNSSEC signed, by using a different RRTYPE for the delegation side of a zone cut, and having a way of discriminating glue records (such as A and AAAA) from non-glue equivalents, so that the parental size of a zone cut can DNSSEC sign these records, the entire design of the Domain Name System is built around the delegation principal, which is that the only place data is authoritative is below a zone cut. Having the ability to push data up to the parent side, which is controlled by the child side, violates the implied security model of the relationships between zones, which roughly correspond to the relationship in the Unix file system of directories, symbolic links, and mount points. The corresponding mechanism would be to allow an unprivileged user to "give away" ownership via the "chown" command, to a privileged account. This capability was extensively abused in the Unix world until it was blocked. Implementing this mechanism in DNS would almost certainly be abused in similar ways, with the same end result, of having to disable that mechanism due to abuse. This is reason enough not to even start down this road. I'm happy to provide example use cases, but don't want to distract from the general model being bad, by playing whack-a-mole on examples and retorts. (See Warren Kumari's email signature line about pants and weasels for why.) With respect and no offense intended. Brian
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
