Hello dnsop, early 2019, Manu of Facebook proposed the DSPKI record - a parent-side- of-the-delegation record to hold a pin for authenticating child-side DoT servers. This would be undeployable.
A few months ago, Tim April proposed NS2/NS2T, which looks like it would clearly benefit from the ability to publish signed data on the parent side of a delegation. This ability seems unlikely today. Also a few months ago, myself and a few others proposed shoehorning certificate hashes into the DS record. The shoehorning (and perhaps some other aspects of that proposal) were not well received by everybody. When talking to Petr Spacek about this, he came up with the following: -if-, long enough ago, besides DS, a range of RRtype numbers would have been reserved with the same processing rules, i.e. these types live in the -parent- and not on the -child-, then both DSPKI and NS2T could become parent side records through the simple act of requesting an IANA allocation from that special range. Sadly, it is not five years ago today. It is today today. So, here is a draft that requests that IANA reserves such a range. Knowledge of that range and its DS-like handling can then end up in implementations over time. When that has happened at some useful scale, we could do a DSPKI experiment. NS2T could explore what benefits come from the ability to publish in the parent. And, nobody will have to shoehorn hashed TLS certificates into DS records. This draft is a bit rough; I trust it, and this email, have brought the idea across. Editorial comments are welcome via GitHub (link is in the draft), or via the WG of course. Looking forward to your thoughts on this. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -------- Forwarded Message -------- From: internet-dra...@ietf.org To: Petr Spacek <petr.spa...@nic.cz>, Peter van Dijk < peter.van.d...@powerdns.com> Subject: [EXT] New Version Notification for draft-peetterr-dnsop- parent-side-auth-types-00.txt Date: Thu, 24 Sep 2020 10:49:03 -0700 A new version of I-D, draft-peetterr-dnsop-parent-side-auth-types-00.txt has been successfully submitted by Peter van Dijk and posted to the IETF repository. Name: draft-peetterr-dnsop-parent-side-auth-types Revision: 00 Title: Parent-side authoritative DNS records for enhanced delegation Document date: 2020-09-24 Group: Individual Submission Pages: 5 URL: https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt Status: https://datatracker.ietf.org/doc/draft-peetterr-dnsop-parent-side-auth-types/ Html: https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.html Htmlized: https://tools.ietf.org/html/draft-peetterr-dnsop-parent-side-auth-types-00 Abstract: A DNS RRtype numeric range that behaves like DS is reserved. This means: being authoritative on the parent side of a delegation; being signed by the parent; being provided along with delegations by the parent. If this document had become an RFC five years ago, deploying new types (along the lines of NS2/NS2T, DSPKI or various other imagined things like DNS ('signed delegation NS')) would be easier to deploy and experiment with today. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
