On Fri, 25 Sep 2020, Peter van Dijk wrote:
in this new episode of 'enabling future innovations that we perhaps cannot even imagine today', please find below a link to a draft proposing a DS digest type that does no digesting at all. This allows a zone owner to publish information in the parent zone and have the parent sign that data on the owner's behalf.
Abstract: The VERBATIM DS Digest is defined as a direct copy of the input data without any hashing.
I could see a use of publishing a DNSKEY at the parent in a DS record that could be used for encrypted connections towards child nameservers. But we talked about this within the context of your other proposals, and the view of a number of people and some large operators was that this encryption is a per-nameserver thing, and not a per-zone thing. Another item not covered here we talked about before, is that child data published in the parent MUST have cryptographic confirmation at the child. Or else parents can coerce child data. It seems the setup of this record is geared towards a generic mechanism of "child publishes stuff at the parent" which muddles the clear child vs parent zone divider we have now. It would need a very strong use case, but the other use case offered is "might be handy in the future". While I agree that DNS infrastructure updates have been extremely slow, I do think in recent years it has been much better and is still improving. So I am less concerned about anything taking 5 years again. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
