On 17.8.2017 01:09, John Levine wrote: > In article <20170816071920.ba2c98287...@rock.dv.isc.org> you write: >>> A colleague says "If TLDs allowed UPDATE messages to be processed most >>> of the issues with DNSSEC would go away. At the moment we have a whole >>> series of kludges because people are scared of signed update messages." > > Someone is wildly overoptimistic.
Or maybe not. CZ registry is now getting CDNSKEY from unsigned domains and use the obtained value to derive parent-side DS. This allows even third parties running DNS for the domain owner (e.g. Cloudflare) to DNSSEC-sign domains with no action required from the domain owner. Yes, someone might try to attack a domain using this. To lower probability of this kind of attack CZ.NIC is nagging the technical contact for one week before the DS gets installed into the CZ zone. For further details please see https://en.blog.nic.cz/2017/06/21/lets-make-dns-great-again/ We will see how it goes. -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
