Paul Wouters wrote: > On Mon, 19 Mar 2018, Robert Edmonds wrote: > > > Viktor Dukhovni wrote: > > > The idea is to log the DNSKEY RRs observed at each zone apex. > > > Without the proposed flag, one would also have to log denial of > > > existence which would make the logs much too large. > > > > Can you expand on what you mean by "much too large"? There are already > > existing large scale passive DNS systems that log every RRset that they > > observe, and on relatively modest amounts of hardware. Is transparency > > for DNSSEC really all that less tractable than the "log every RRset" > > problem? > > Do these large scale passive DNS systems then host the data for (m)any > clients to fully download?
If those "(m)any clients" were interested in being customers of the operator of the large scale passive DNS system, then yeah. https://www.farsightsecurity.com/faq/#q13 > There are also privacy aspects. if you need to audit/log every query, > you are uploading more personal identifiable information. Combined with > TTL=0 or really short RRSIG times, these can become trackers. DNSKEY and > DS records don't come with such short TTLs (or if they would it could > itself be seen as a sign of malicious behavior) so there is much less > of a one to one relationship between those queriers and answers. Who is uploading what to whom in this scenario? Suppose there were something like https://www.internic.net/domain/root.zone, but instead of being a daily point in time snapshot of the root zone in master file format, it were a log that captured each RRset and a publish date, going back for some small window of time, and it were (ugh) PGP signed so that you know it's authentic. Would that be enough for independent auditors to construct and publish their own append-only Merkle tree logs or whatever, so that folks who want to "trust, but verify" the DNSSEC responses from the root could do so without having to upload their query logs to anyone? If so, doesn't this generalize to TLDs as well? That is, I guess I'm saying if you need cooperation from the zone publisher anyway, why not just get them to publish what you need, out of band? (Sure, it doesn't work for the TLDs that don't want to publish their zones.) -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
