On Dec 26, 2024, at 14:25, Olafur Gudmundsson <o...@ogud.com> wrote: > > I would say online signing is way superior operating practice than off-line > signing, > there is no need for NSEC3 in on-line signing operations!
I asked whether NSEC3 was a good idea or not - a notable response was that without NSEC3, DNSSEC would have never been deployed in most, if not all, ccTLD environments. On-line signing, or signing answers tailored to queries, would have meant no NSEC, no NSEC3, no need to sort zones at all. There would have been no need to abandon the practice of storing zone data in hash tables (as opposed to maintaining a tree structure). There is one obstacle to standardizing on on-line signing. Trusting hosts with keys used to be an obstacle but it is not now. The obstacle is being able to coordinate keys per host operator. It could be simple - have the operators each list their keys in the zone apex, but this assumes all the operators agree on the DNS security algorithm. Coordinating when there is no overlap in DNS security algorithms gets tricky. One could (and this is blue sky talking) have the zone administrator publish at the apex, the private keys wrapped in the public key of the various hosting providers. I.e., each hosting provider would have a key pair specifically for this purpose, when a zone administrator buys services from a hosting provider, the hosting provider indicates the key the zone admin is to use to wrap keys. I think on-line signing ought to replace off-line signing, even though this shifts the “end-to-end” relationship from zone admin to relying party to authoritative server to relying party. I don’t know if any shift will ever happen. When on-line signing emerged, it was radical. Reflecting on its track record and the state of DNSSEC deployment, on-line signing is a good idea, needing some adjustment for multi-signer (as an RFC/standards feature). _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
