On Fri, May 9, 2014 at 7:29 PM, Nico Williams <[email protected]> wrote: > On Fri, May 9, 2014 at 6:12 PM, Phillip Hallam-Baker <[email protected]> wrote: >> The simplest way to align things is to simply have a certificate >> issued for the DNSSEC zone KSK and plop that in the log as normal. > > Sure, each zone acts as a CA for its children. That works, I think.
I have previously had some discussions about including DNSSEC / DANE / self signed certs -- one of the objections / concerns was the threat of someone DoSing the logs by making up data (there is a cost to a CA cert, but I can create an infinite number of TLSA records or self signed certs). The main incentive (that I can see) to DoS the logs would be for the lolz[0], and so (IMO) the protection does not need to be very strong - having someone have to solve a captcha or make a small payment (could become a donation) would be enough. W [0]: Unless you could kill off CT completely / make browsers stop requiring it (and so allow someone to use an incorrect (misissued) cert) I cannot see a financial incentive for anyone to do this. > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
