> On 25 Jul 2019, at 9:10 pm, Tony Finch <d...@dotat.at> wrote:
>
> Samuel Weiler <wei...@csail.mit.edu> wrote:
>>
>> That does not include the argument in the below bullet, which I find unclear.
>> What does "name redirection" mean in this context?
>>
>> o Since the zones are related to private networks, it would make
>> more sense to make the internal network more secure to avoid name
>> redirection, rather than complicate the DNS protocol.
>
> I guess it's referring to active DNS modification attacks?
>
> Another reason not mentioned in the draft is resilience against loss of
> connectivity. If you have a local trust anchor you can validate local
> zones even when you can't reach the outside world. With normal DNSSEC
> validation everything is screwed if you can't obtain the chain of trust.
>
> Of course, the network should be secure and reliable in its lower layers,
> but I tend to think the DNS should be secure and reliable itself, even if
> the lower layers are a bit dodgy.
>
> Having thought about this a bit, I now prefer something like catalog zones
> as a way to distribute trust anchors.
You just slave the private DLV registry and load the trust anchors from that
after validating each DLV RRset.
> Tony.
> --
> f.anthony.n.finch <d...@dotat.at> http://dotat.at/
> Lundy, Fastnet: Variable 2 to 4 in east Lundy, otherwise southerly veering
> southwesterly 4 to 6. Slight or moderate in east Lundy, but elsewhere moderate
> or rough. Thundery showers. Moderate or good.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
