Hello, I read draft-dickson-dnsop-ds-hack-00 and it proposes that - it assign three new DNSKEY algorithms (alg_ns, alg_A, alg_AAAA) - it generate 3 new DS RRs for all parent side NS RR and glue (A/AAAA)
It will increase DS reponse 48bytes * 3 = 144 bytes. (in case of digest type 2) owner IN DS 0 alg_NS digest hash_of(caonnical_order(NS RRset)) owner IN DS 0 alg_A digest hash_of(caonnical_order(glue A)) owner IN DS 0 alg_AAAA digest hash_of(caonnical_order(glue AAAA)) Please add such examples. The caonical ordering is defined in RFC 4034 and your draft depends on draft-ietf-dnsop-glue-is-not-optional. Please add them as references. I proposed similar idea "Delegation Information (Referrals) Signer for DNSSEC" at IETF 109 dnsop WG and it was not preferred at the time. See: https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-delegation-information-signer-00 My idea generates one DS resource record for each delegation point. Signer and verifier generates complete NS RRset and glue set, reorder canonical order, and calculate hash. owner IN DS ? new_alg? new_digest? hash_of(caonnical_order(NS RRset)|canonical_order(glue RRset)) -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> > From: Brian Dickson <brian.peter.dick...@gmail.com> > This is the work I will be submitting in DNSOP. > > This is what has been described as a “hack”, but provides a needed validation > link for authoritative servers where the latter are in signed zones, but where > the served zones may not be signed. > > NB: It overlaps with the recent DPRIVE draft that Ben S submitted recently. > > It will likely be the case that those overlaps need to be reconciled, based on > use cases and scope. > > I think there are valuable use cases other than privacy, which would make this > more appropriate for DNSOP. > > Comments are welcome. > > The draft can be found at: > > https://www.ietf.org/archive/id/draft-dickson-dnsop-ds-hack-00.txt > > Brian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
