On Mon, Apr 27, 2020 at 3:28 PM Wes Hardaker <wjh...@hardakers.net> wrote:
> Joe Abley <jab...@hopcount.ca> writes: > > > This draft needs a more compelling problem statement, and a clear > > description of why other controls (e.g. reputational, contractual) are > > insufficient. [It's also possible that the draft just needs a clearer > > problem statement, rather than a more compelling one.] > > Hi Joe, > > Thanks for the comments. I'm working on a more clear rewrite of the > introduction. I'd love your feedback on it once I get it wrapped up. I > think (hope) I can spell out the case for support more clearly. I agree > the subject is a bit hard to wiggle into your head (as are most > somewhat-complex security cases) > > Hi, Wes, I was looking at the draft to see if I understood the intent correctly, and I think there may be a small gap, if my understanding is correct. So, I think there are two use cases that something doing this kind of thing needs to handle. One is the "flat delegation-only zone", like any of the big well-known ones (com, net, org, info). The other would be the kind that are multiple-depth delegation zones, where the Public Suffix List is already kind of necessary. What I think is needed is a way to explicitly declare the places where the depth is > 1 (if a normal flat delegation-only zone has depth == 1). And that would effectively just need a way of making permanent and well-known, the set of ENTs for the zone (empty non-terminals). I think that list is likely to be short even for the most convoluted zones. Without this, it would be theoretically possible for the TLD to add additional unsigned delegations to bypass a signed delegation. With the addition of an explicit set of ENTs, there would be double-entry accounting. Entries in the zone with depth > 1 would require a chain of ENTs to the zone apex. Entries in the zone with depth == 1 would need to not also have corresponding ENTs. (My assumption is the ENT declarations would be separate from the intrinsic ENTs from NSEC or the explicit ones from NSEC3, if I recall my NSEC vs NSEC3 nuances, and probably in a sibling zone like _ent.TLD for example.) If two delegations were present, child.example.com and example.com, it would not be possible to disambiguate them without knowing more about the zone structure and semantics. The two example zones I would reference would be ".uk", and ".jp", where there are SLDs immediately below the TLD, and additional SLD-like delegations or non-delegations further down in the zones. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
