On Mon, Mar 19, 2018 at 02:12:38PM -0400, Bob Harold wrote:
> > > We have just submitted a draft aimed at increasing the security of
> > > the DNSSEC with respect to the power that parental zones have over
> > > their children.
> >
> > I'm opposed to this idea.
>
> If the parent simply pointed the NS and DS records to a different version
> of the zone, that would accomplish the same effect, even with a
> 'delegation-only' flag, so the 'delegation-only' flag really does not solve
> the problem.
The 'delegation-only' flag does not *by itself* prevent parent
domains from answering authoritatively for their child domains,
but it could make "certificate-transparency" more tractable for
DNSSEC.
The idea is to log the DNSKEY RRs observed at each zone apex.
Without the proposed flag, one would also have to log denial of
existence which would make the logs much too large. CT for DNSSEC
may be impractical anyway, but this flag could make it more realistic.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
