Hi Mahesh & other IESG members,
I have made final minor adjustments to the analysis text (mainly changing
adjectives) so it flows nicely with the MUST key words from IESG review.
These changes are recorded here:
https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/7f51a39a300259b92e91567316c3e3e4c220788c
The new revision with all IESG feedback included is now available as -09.
Best,
Peter
On 5/21/26 22:48, Mahesh Jethanandani wrote:
Hi Peter,
I look forward to the updated draft. Thanks.
On May 21, 2026, at 9:54 AM, Peter Thomassen <[email protected]> wrote:
Hi Mahesh,
Just a small heads-up:
On 5/21/26 14:19, Peter Thomassen wrote:
- Authentication compromise: If an attacker gains control of child
zone signing keys or nameservers, automated DS updates become an
attack vector. The checks in Section 4.1 partially mitigate this,
but the residual risk is not articulated.
Also a good point. Same as above, I will post proposed text in Deb's review
thread.
I had missed the word "zone" in "child zone signing keys". The concern only
applies to SEP keys (that is, KSK or CSK), as this is the key that needs to sign CDS/CDNSKEY RRsets
(see RFC 7344 Section 4.1). I'll phrase the security consideration accordingly.
Best,
Peter
Mahesh Jethanandani
[email protected]
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
