Hi Paul, On 30 Jul 2020, at 13:20, Paul Wouters <p...@nohats.ca> wrote:
> On Thu, 30 Jul 2020, Petr Špaček wrote: > >> It is hard to see what benefits draft-ietf-dnsop-delegation-only brings >> without having description of "DNSSEC Trasparency" mechanism available. > > I do not believe that is correct. The first and foremost purpose is for > the bit to signal the parent zone's behaviour in a public way that > prevents targeted / coerced attacks from the parent. This allows > policy violations to be rejected even if these violating DNS answers > are DNSSEC signed. Has anybody done a survey to find out how many TLD zones actually fits the description of "delegation-only"? I know for a fact that ORG does not today and I would say is unlikely ever to. For example, any nameserver N that is subordinate to domain D and linked to some other domain E will be served authoritatively from the ORG zone if domain D is suspended and while E continues to be delegared. Suspensions happen regularly, e.g. for domains implicated in technical abuse. There are several thousand examples of such N today and history suggests the number is not becoming smaller. Even if the number of such N could reach zero in ORG, we could never assume the number would remain at zero and still would not be able to assert usefully that the zone is delegation-only. I don't think ORG is particularly special in this regard; it seems possible that other (possibly many other; possibly most or all) TLD zones are similar. If there are no TLD zones that actually are delegation-only then there seems no obvious application for it, regardless of whether we consider it to be useful or not. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
