Hi Ulrich, dnsop,
thank you for your effort in improving DNS.
This is a follow-up to your proposal on easing the requirements by
RFC4035, which say, in short, that if there's a DS of an algorithm,
there must be a complete DNSKEY set of that algorithm, and if there is a
DNSKEY of an algorithm,
Greetings again. I have created a new, very short draft to add more private use
algorithms to DNSSEC.
https://datatracker.ietf.org/doc/draft-hoffman-more-private-algs/
The abstract says:
RFC 4034 allocates one value in the IANA registry for DNSSEC
algorithm numbers for private algorithms.
Paul Hoffman wrote:
In the meantime, anyone interested can make suggestions on how to
improve the draft so that it is nice and shiny when it come to the WG
for adoption.
it just
indicates that the value of deploying DNSSEC is often considered
lower than the cost.
is just wrong.
Cons
On Mar 21, 2022, at 07:10, Masataka Ohta
wrote:
>
>
> Constructive thing to do to make DNS secure is to totally abandon
> DNSSEC and rely on DNS cookie or something like that.
DNS cookies provide no data origin security, only a weak transport security
against non-onpath attackers.
A replac
