On 8/19/21 7:57 PM, Brian Dickson wrote:
On Thu, Aug 19, 2021 at 10:40 AM Peter Thomassen mailto:pe...@desec.io>> wrote:
Hi Brian,
The proposal aims to authenticate parental NS and glue records by having
the parent sign their hash digests, embedded in new types of DS records.
On Thu, Aug 19, 2021 at 10:40 AM Peter Thomassen wrote:
> Hi Brian,
>
> The proposal aims to authenticate parental NS and glue records by having
> the parent sign their hash digests, embedded in new types of DS records.
>
> 1.) The separation of the data which requires authentication (parental
Hi Brian,
The proposal aims to authenticate parental NS and glue records by having the
parent sign their hash digests, embedded in new types of DS records.
1.) The separation of the data which requires authentication (parental NS +
glue records) from the place where authentication is provided
On Fri, 13 Aug 2021, Ben Schwartz wrote:
I think we can summarize the recent DS-glue-signing drafts as follows:
* draft-fujiwara-dnsop-delegation-information-signer: One new DS holding a
hash of all the glue records.
* draft-dickson-dnsop-ds-hack: Each new DS holds the hash of one glue RRSet
*
Sent from my iPhone
> On Aug 12, 2021, at 12:21 PM, John Levine wrote:
>
> It appears that Brian Dickson said:
>> -=-=-=-=-=-
>>
>> This is the work I will be submitting in DNSOP.
>>
>> This is what has been described as a “hack”, but provides a needed
>> validation link for
It appears that Brian Dickson said:
>-=-=-=-=-=-
>
>This is the work I will be submitting in DNSOP.
>
>This is what has been described as a “hack”, but provides a needed validation
>link for authoritative servers where the latter are in
>signed zones, but where the served zones may not be
Hello,
I read draft-dickson-dnsop-ds-hack-00 and it proposes that
- it assign three new DNSKEY algorithms (alg_ns, alg_A, alg_)
- it generate 3 new DS RRs for all parent side NS RR and glue (A/)
It will increase DS reponse 48bytes * 3 = 144 bytes. (in case of digest type 2)
owner
This is the work I will be submitting in DNSOP.
This is what has been described as a “hack”, but provides a needed validation
link for authoritative servers where the latter are in signed zones, but where
the served zones may not be signed.
NB: It overlaps with the recent DPRIVE draft that Ben