Hello everyone,
after reading blog post What To Use Instead of PGP [1] and some
reactions on Mastodon after it [2], I were thinking about two things.
1) we might want SSHFP + DNSKEY records for SSH public keys, similar to
RFC 7929 OPENPGPKEY and RFC 8162 SMIMEA records. SSHFP is great because
it short, even if used for higher number of users. It might allow me to
have for example gitlab.com, where I have uploaded my public keys, to
provide my SSH public keys in an user-friendly way, email-like. Like
[email protected].
2) Were there any attempts to create Certificate Transparence style
append-only, Merkle-tree based log for TLDs? I think DNSSEC has just
single parent, so it is much better than with normal dozens of CAs. But
still, TLD would be able to redirect any subdomain to valid DNSSEC
chain, even if it served wrong NS of child addresses. It could make
selected clients redirected to bogus domains and that would be somehow
hard to detect.
But if TLD would ensure every DS record with changed digest is written
into public-verifiable append-only log for that domain, it might make
discovery of bogus DNSKEY digest much simpler. Now or later. Giving
shame to any domain, which would make own DS records to make someone
else domain validation proof working for example.
The same would apply of course to root zone itself, but that is at least
publicly published with every record available. I am not 100% sure, but
I do not think similar policy applies to most of TLD registrars.
Disadvantage of this approach would be publishing existence of all
DNSSEC signed domains in a public place. But given than Certificate
Transparency publishes not only the domain, but each hostname, that
might not be too bad.
Does this have any existing solution, how to catch potential TLDs
misbehaving with their key powers? I know we have a way to sign a zone
and verify its contents. But that would require all TLDs to be public
for downloading by everyone. Then we might not need anything like I have
described above.
What do you think? Do we need some kind of DnsKey Transparency too? Is
there a better solution?
Best Regards,
Petr
PS: Soatok is not a friend of DNSSEC and does not want to talk about it.
Please do not mention him with DNSSEC topics.
1. https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/
2. https://fosstodon.org/@[email protected]/113488105098558583
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
