On Sat, 17 Nov 2012, Carl Wallace wrote:
Rogue DS records might not be detectable to the party with the leaf
record. For example, assume the domain name example.newtld. The owner of
example has put DS record A in the newtld zone. If the owner of newtld
goes rogue and shows DS record B to a limited number of requests (such as
to a particular geographic region or set of network addresses), the party
with the private key associated with B can spoof example, and the owner
of example would not know unless he could see B.
Who is intended to be able to contribute to the log? It seems like for
this to provide the desired visibility, any client should be able to. For
CT, at least, I thought this was not to be the case.
How do you authenticate that? You cannot use the DS/DNSKEY for
authentication because then the CT audit log is useless to detect
compromises.
And you cannot say "The CA industry" either, which is the answer for the
CT-PKIX version. If you make CT-DNSSEC go through the CA industry, it
will cost $10/year or more to get in the audit log.
Paul
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
