On 1/30/24 16:05, Paul Wouters wrote:
DNSSEC is not mandatory, it is recommended.
One motivation behind DELEG is the ability to use “Aliasmode” to point to an
SVCB record elsewhere, which contains a DS record. This way, DS records in
various top level domains can be federated under a single operator. This works
solely if both the DELEG is signed and “elsewhere” is signed.
I don't understand what you are saying here. Can you elaborate and maybe
include an example?
nohats.ca. 86400 IN NS ns2.foobar.fi.
nohats.ca. 86400 IN DELEG 0 _conf.ns2.foobar.fi.
nohats.ca. 86400 IN RRSIG DELEG ...
_conf.ns2.foobar.fi. 3600 IN SVCB . ( alpn=doq ipv4hint=192.0.2.54
dnskey="257 3 13 BdaQBzPJKqw5U..." )
_conf.ns2.foobar.fi. 3600 IN RRSIG SVCB ...
The _conf.ns2.foobar.fi. ALPN and DNSKEY configuration can be reused by other
delegations as well, and the operator of ns2.foobar.fi can change it as it sees
fit without requiring the delegations to be updated.
(Hope this is what you meant.)
The whole DELEG thing can also be done without DNSSEC, but then you can't
establish the chain of trust like that. (And you don't need DNSSEC when the
child is insecure, so it's not a problem.)
~Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
