Moin!
On 23 Feb 2021, at 16:08, Ben Schwartz wrote:
Inspired by some recent discussions here (and at DNS-OARC), and
hastened by
the draft cut-off, I present for your consideration "DNSSEC Strict
Mode":
https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00
Interesting read. Some comments:
- Shouldn’t multiple signatures/algorithms be the exception only used
when
migrating to a new one? Having multiple algorithms as the norm seems
wrong,
but I’m not a crypto person so would be interest if this is used
somewhere.
- In DNSSEC or DNS in general you have to think about the whole domain
tree.
If you do a more secure algorithm in a leaf/child zone you are still at
mercy
of what your parent zones do, as an successful attack on the parent
would
render your child zone irrelevant.
- DNSSEC validators are already absurdly complex, this is yet another
straw
on the camels back IMHO.
So long
-Ralf
——-
Ralf Weber
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
