> > Or just say that anyone who puts in more than X amount of DNSSEC CT >> entries underneath themselves must run a public CT node themselves. So >> if nohats.ca want to get more then X entries, or one of their >> subzones/customers wants more than X entries, either they or their >> subzone/customer will have to run a fully functional CT node. And if >> the node goes down, their new entries will be refused. > > > Yes, exactly. +1 >
I'm wondering what the exact threat model is here. Imagine a malicious domain operator wants to sign some DNSSEC records for use in an attack. They include hashed of them in their log, then claim to "lose" the original records, or issue the equivalent of SCTs and then never include them within the MMD. Who is checking up on them for this? Does the superdomain that signs this domain's record has to be doing full auditing of their DNSSEC-CT log? Does this still work then as anti-DOS if the superdomain has to do all of this auditing anyways (I suppose it could be made random, but then the domain can try to hide malicious entries with lots and lots of spam ones). Furthermore, is this requirement recursive? What if a malicious domain evil.com agrees with a subdomain really.evil.com to not audit their DNSSEC-CT log properly, so malicious records can be signed for really.evil.com, not audited by evil.com, but if com (who we assume is honest) only audits evil.com's log they'll think it's in valid order. Is there a way to prevent the root from having to audit every log everywhere? Also, the penalty for failing some audit check is losing control of your domain? That seems like a sufficient disincentive that few domains will want to go beyond whatever their superdomain's policy is and have to run their own log, enough that some current practices (like giving users of a website their own subdomain) would be affected.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
