On Tue, Jul 26, 2022 at 6:22 AM Petr Špaček <[email protected]> wrote:
> On 28. 06. 22 16:20, Bob Harold wrote: > > But the parent NS set is not covered by DNSSEC, and thus could be > spoofed?? > > (Wish we could fix that!) > > I share your wish. > > Does anyone else want to contribute? > I have an interest in fixing this, as it affects a number of issues beyond the commonly referenced "privacy" issue. E.g. Anything that relies on the name of the authoritative servers to obtain e.g. TLSA records or generally establish a TLS connection. I wrote up a draft a while back (just recently expired) on a suggestion to improve the situation. I'd be happy to revive this and/or work on something similar. The main motivation for the technique I chose was to avoid placing any requirements on Registry operators, including the out-of-band mechanism (EPP) and publication mechanism (no new RRTYPEs, no new DS hash algorithms). In other words, deployable unilaterally by DNS operators and Registrars, and a modest set of changes for Resolvers (fully backward compatible). Here is a link to the expired draft: https://datatracker.ietf.org/doc/draft-dickson-dnsop-ds-hack/ Brian
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
