On Tue, 20 Mar 2018, Stephane Bortzmeyer wrote:
The 'delegation-only' flag does not *by itself* prevent parent
domains from answering authoritatively for their child domains, but
it could make "certificate-transparency" more tractable for DNSSEC.
I don't think that you replied to Bob's remark. He said that the
proposal is useless because it addresses only the case of "answering
authoritatively for their child domain", not the "directing child
domain to someplace".
The goal of the document is to make such malicious changes visible.
If the parent needs to replace NS/DS records, these are easily
auditable identically to Certificate Transparency (rfc 6962bis)
We only need to look (log) the DS/DNSKEY and we do not have
to monitor all TLSA and other security RRtypes. Without this flag,
we need to track and log every DNS RRtype that has public key material
in it.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
