I am aware that this is the dnsop wg discussion mailing list and not the DD (deleg wg) mailing list, so I encourage Peter to re-post his email to the deleg WG discussion mailing list.....
My motivation for bringing Peter's draft up at the microphone at this morning's deleg WG is as follows: At a high level, DELEG seems to encompass attributes related to both transport (e.g., encrypted transports) and DNSSEC security (DS aliasing). The DS record already indicates if a delegation is secured and, if so, provides a signed digest over the secure entry point of the delegated zone. In theory, the digest function could be as simple as an identity hash function (where pre-image equals the output). The result of this function would be the alias FQDN. This alias FQDN serves as the secure entry point for to the delegated zone. While I thought this was an original idea when I heard it during the DELEG discussions, it has been proposed by both Peter van dijk (see below) and Paul Wouters independently (I've seen a draft for it, named "ds uplifting", though not in the datatracker, alas), and have heard today in the hallway that others have suggested it as well. This proposal allows validators to do the DS aliasing, and resolvers to do DELEG. A nice separation of functionality IMHO. Roy > On 4 Nov 2024, at 13:47, Peter van Dijk <peter.van.d...@powerdns.com> wrote: > > Hello fine DNS people, > > in light of discussions I've had with several people here in Dublin > (mostly around DELEG), I am reviving some old drafts because they might > be interesting to consider for the "toolbox" again. > > For this draft, which allows unhashed publication of data in DS records, > the context is that getting a new parent-authoritative type deployed may > take some time, but DS works today. This may or may not be a feasible, > available now/soon, perhaps temporary, method of deploying DELEG. > > (I write this without any opinion on what the right choice for initial, > or future, DELEG deployment, is.) > > Previous discussion on this draft is in > https://mailarchive.ietf.org/arch/msg/dnsop/Ak5XVuiLnlGxwatbKlYpcWnpE4o/ > > (Thanks to Roy Arends for pointing out that IDENTITY might be a more > technically correct name for this, although we both feel it is likely not > the -best- name.) > > -------- Forwarded Message -------- > From: internet-dra...@ietf.org > To: Peter van Dijk <peter.van.d...@powerdns.com> > Subject: [EXT] New Version Notification for draft-vandijk-dnsop-ds- > digest-verbatim-02.txt > Date: 11/04/24 11:04:26 > > A new version of Internet-Draft draft-vandijk-dnsop-ds-digest-verbatim-02.txt > has been successfully submitted by Peter van Dijk and posted to the > IETF repository. > > Name: draft-vandijk-dnsop-ds-digest-verbatim > Revision: 02 > Title: The VERBATIM Digest Algorithm for DS records > Date: 2024-11-04 > Group: Individual Submission > Pages: 5 > URL: > https://www.ietf.org/archive/id/draft-vandijk-dnsop-ds-digest-verbatim-02.txt > Status: > https://datatracker.ietf.org/doc/draft-vandijk-dnsop-ds-digest-verbatim/ > HTML: > https://www.ietf.org/archive/id/draft-vandijk-dnsop-ds-digest-verbatim-02.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-vandijk-dnsop-ds-digest-verbatim > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-vandijk-dnsop-ds-digest-verbatim-02 > > Abstract: > > The VERBATIM DS Digest is defined as a direct copy of the input data > without any hashing. > > > > The IETF Secretariat > > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
