On Mon, Mar 19, 2018 at 08:22:03AM -0400, Paul Wouters <p...@nohats.ca> wrote a message of 57 lines which said:
> We have just submitted a draft aimed at increasing the security of > the DNSSEC with respect to the power that parental zones have over > their children. I'm opposed to this idea. > While the root and TLD zones are asumed to be almost exclusively > delegation-only zones, This is unrelated. You mix two different things, the administrative issue and the technical one (every subdomain in its own zone). gouv.fr is administratively a delegation from .fr but is in the same zone. > the root zone operator (or any level higher in the hierarchy than > the target victim) could briefly remove the NS and DS records, and > create a "legitimate" DNS entry for "www.example.org" That's the DNS. It is a tree. Protecting childs against the parent is a non-goal, or otherwise we should move to some alternative to DNS (Namecoin is cool). > The aim here is to counter the argument that the root key and TLD > keys are all powerful and under government control, and can therefor > never be trusted. I've read the draft and still can understand nothing in this sentence. > 2) Allow the creation of DNSSEC transparency logs May be mentioning draft-zhang-trans-ct-dnssec would be nice? > The DELEGATION_ONLY flag has a strong overlap in functionality with > the Public Suffix List as both signal a formal split of authority > between parent and child. May be mentioning the defunct DBOUND working group would be a good idea? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop