I like this proposal, look forward to experimenting with this. I'm not sure about how to defend against downgrade attacks, without potentially having to touch some other DNSSEC-specific standards. I admit to not having looked at them again, recently, with this in mind, so the question I'm asking is something that might have an obvious answer. In a signed zone (parent) with a zone cut, which includes a REFER record, with or without the delegation being signed (i.e. with or without a DS record), what would/could protect against a downgrade?
I think this may need to be analogous to the handling of signed delegations, if the client (resolver) is DNSSEC-aware, in doing validation. I think NSEC(3) record(s) proving something would be necessary and sufficient, to prove the (non-)existence of NS and/or REFER records, and to include the REFER and RRSIG(REFER) even if RO is not present (possibly stripped). Synthesis of NS from REFER would probably be analogous to synthesis of CNAME from DNAME. I like this a lot, actually. The only question is really uptake by registries/TLDs and the root. Brian On Fri, Feb 12, 2021 at 10:38 AM Ben Schwartz <bemasc= [email protected]> wrote: > This is a fun proposal, Joe. (I think it should probably also go to > DPRIVE, although it's mostly the same folks.) > > Regarding the Security Considerations, I would suggest that REFER-aware > recursive resolvers (1) should also implement QNAME minimization, and (2) > should send a REFER query in parallel with any shortened-QNAME query. It > seems to me that should be roughly sufficient to prevent the downgrade > attack (if the parent is signed) without adding latency. > > On Fri, Feb 12, 2021 at 11:08 AM Joe Abley <[email protected]> wrote: > >> Hi all, >> >> I have discovered that without liberal access to bars and hallways at >> in-person IETF meetings, I no longer know how to tell the difference >> between ambition and insanity when it comes to technical proposals. I am >> quite prepared to find out that in this case the needle is at the crazy end >> of the scale. >> >> Happy Friday! >> >> >> Joe >> >>
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
