Ben Schwartz <bemasc=40google....@dmarc.ietf.org> writes: > If I understand correctly, the Powerbind draft is designed to reduce > the amount of data that must be logged in order to verify appropriate > use of a DNSKEY "K" for a delegation-only zone. I'm trying to compare > the amount of logging required with and without Powerbind. > > Here's my current best guess: > - With Powerbind, we need to log all DS records (to detect replacement) and > NSEC and NSEC3 records (to detect repudiation) that are signed by K, along > with > their RRSIGs. Resolvers would reject any other records signed by K. > - Without Powerbind, we need to log any record signed by K that is not on the > apex, along with its RRSIG. > > But for a delegation-only zone, aren't these the same set? What else would a > delegation-only zone be signing beyond the apex, other than DS, NSEC, and > NSEC3?
The point of powerbind is to specifically state "I'm delegation only". Without knowledge of that, you end up having to log everything, per your own conclusion, because there is no way to know if its a delegation-only zone. As the first sentence in the abstract says "This document introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that the particular zone will never sign zone data across a label.". IE, the whole point is to communicate that a zone is such a zone. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
