On 16 Mar 2017, at 10:09, Wei Chuang wrote:
I saw there was significant interest
<http://blog.huque.com/2014/07/dnssec-key-transparency.html> in
exploring
CT for DNSSEC back in 2014 of which a draft
draft-zhang-trans-ct-dnssec
<https://tools.ietf.org/html/draft-zhang-trans-ct-dnssec-03> was
created.
It seems to have quieted down since. I believe the motivation is
still
there which is to prevent a parent zone from potentially misbehaving
and
spoofing the child zone. Is there still interest in this? From the
list
archives, I can't see what the issues were though I'm guessing one of
them
was respecifying the DS resource record to use a SCT which might have
caused compatibility concerns. (But please correct me if I'm wrong)
Other
than that, the draft seems pretty reasonable. Were there other
concerns?
There were two separate issues that got conflated at the time:
- Seeing evidence that a parent had spoofed DNSSEC keys for a child. A
transcript of the DS records in the parent is sufficient as long as the
child doesn't have relying parties create islands of trust (which is
relatively rare these days).
- Seeing evidence that a parent had spoofed any resource records for a
child. A transcript of the NS records in the parents is a good start,
although what is really needed is a transcript of everything that is
seen for the child.
In both cases, having transcripts from various DNS looking glasses
around the Internet would give greater assurance of the integrity of the
transcript.
--Paul Hoffman
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
