Hi, DNSOP folks, I have been working on the "unsigned NS record" problem (and related "unsigned glue record" problem).
I think this is relatively widely applicable, even though it was originally motivated by a problem that needed to be solved within DPRIVE. (That problem is the subject of a draft I will be posting in DPRIVE, for those interested.) I think it's fairly straightforward, but it is difficult to tell without getting feedback, so please let me know what you think. Brian Dickson ---------- Forwarded message --------- From: <[email protected]> Date: Fri, Sep 17, 2021 at 1:29 AM Subject: New Version Notification for draft-dickson-dnsop-ds-hack-01.txt To: Brian Dickson <[email protected]> A new version of I-D, draft-dickson-dnsop-ds-hack-01.txt has been successfully submitted by Brian Dickson and posted to the IETF repository. Name: draft-dickson-dnsop-ds-hack Revision: 01 Title: DS Algorithms for Securing NS and Glue Document date: 2021-09-17 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/archive/id/draft-dickson-dnsop-ds-hack-01.txt Status: https://datatracker.ietf.org/doc/draft-dickson-dnsop-ds-hack/ Html: https://www.ietf.org/archive/id/draft-dickson-dnsop-ds-hack-01.html Htmlized: https://datatracker.ietf.org/doc/html/draft-dickson-dnsop-ds-hack Diff: https://www.ietf.org/rfcdiff?url2=draft-dickson-dnsop-ds-hack-01 Abstract: This Internet Draft proposes a mechanism to encode relevant data for NS records on the parental side of a zone cut by encoding them in DS records based on a new DNSKEY algorithm. Since DS records are signed by the parent, this creates a method for validation of the otherwise unsigned delegation records. Notably, support for updating DS records in a parent zone is already present (by necessity) in the Registry-Registrar-Registrant (RRR) provisioning system, EPP. Thus, no changes to the EPP protocol are needed, and no changes to registry database or publication systems upstream of the DNS zones published by top level domains (TLDs). This NS validation mechanism is beneficial if the name server _names_ need to be validated prior to use. The IETF Secretariat
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
