Wes and I updated the powerbind draft.
We did a lot of rewriting to clarify the concept, so of you were confused, please give this version another read. It clarifies a few issues based on the responses we had so far, such as the limitations of RRTYPE's for DELEGATION_ONLY zones (and how to deal with things like ns0.example.org entries) There were two ideas floating around we did not incorporate. Any claims (or new bits to claim) parents aren't allowed to skip you is one idea we did not add, as we couldn't find any behavioural change it would cause, while causing a lot of politics :) We also did not incorporate a new bit or bits to allow for variable limits (eg to support things like co.uk) We did add an exception for _label as those labels really only convey information about the zone itself, and can never be mistaken for a child delegation. This would prevent requiring zone cuts for all _label directives (although it does not prevent these if you want to do them) Note that it seems the datatracker broke and is throwing a 404 on the below Htmlized page. Until that is fixed, you can read the document on github as well: https://github.com/hardaker/draft-pwouters-powerbind/ Paul ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Sun, Mar 10, 2019 at 11:24 PM Subject: New Version Notification for draft-pwouters-powerbind-02.txt To: Paul Wouters <pwout...@redhat.com>, Wes Hardaker <i...@hardakers.net> A new version of I-D, draft-pwouters-powerbind-02.txt has been successfully submitted by Paul Wouters and posted to the IETF repository. Name: draft-pwouters-powerbind Revision: 02 Title: The DELEGATION_ONLY DNSKEY flag Document date: 2019-03-10 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/internet-drafts/draft-pwouters-powerbind-02.txt Status: https://datatracker.ietf.org/doc/draft-pwouters-powerbind/ Htmlized: https://tools.ietf.org/html/draft-pwouters-powerbind-02 Htmlized: https://datatracker.ietf.org/doc/html/draft-pwouters-powerbind Diff: https://www.ietf.org/rfcdiff?url2=draft-pwouters-powerbind-02 Abstract: This document introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that the particular zone will never sign zone data aside from records at the apex of the zone or delegation records for its children. That is, every label (dot) underneath is considered a zone cut and must have its own (signed) delegation. DNSSEC Validating Resolvers can use this bit to mark any data that violates the DELEGATION_ONLY policy as BOGUS. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
