On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 dnsop
> agenda.
>
> https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
>
> I haven't seen prior discussion of this item on the list, and,
> personally, rather suspect it unlikely to gain meaningful support from
> the WG and see adoption.
>
> Would it possible to defer discussion of this document to such time as
> some evidence of support emerges, and in the meantime use the timeslot
> for more realistically productive proposals?
I should perhaps have stated the technical criteria on which I consider
the proposal non-viable. To whit:
- The proposed protocol lacks all downgrade resistance.
- Without a signed delegation from the parent, the existence of the
zone apex CERT MRs and associated RRSIGs is trivially denied by
an on-path attacker.
- This protocol adds failure modes (CERTs and RRSIGs are available,
but don't match), without adding any security.
Since the point of DNSSEC is to thwart active attacks, and the protocol
in the proposed draft offers no such protection, I consider it
non-viable.
There are other substantial issues, but the above is sufficient to stop
looking for more reasons why this is a dead-end.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
