Hi Mark, On 21/07/2024 00:20, Mark Andrews wrote:
DS is the wrong logical point to signal dry run or at least there should also be a key flag otherwise a parent can downgrade the security of zones that don’t want dry run semantics. Additional validation doesn’t require the DS to be present. It is only required to validate the DNSKEY RRset.
Isn't the parent downgrade attack the same as the parent pulling the DS altogether?
In the beginning we were thinking that a flag in the DNSKEY itself could also work for dry-run but that has the disadvantage of requiring to change things in your signing procedure.
What we strive for with dry-run and DS signaling is that if the zone under dry-run testing is ready to be secure, the operator does not need to touch anything on the already signed (and tested!) zone. The turn-key solution is to just replace the dry-run DS with the real DS in the parent.
Best regards, -- Yorgos _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
