[dns-operations] Split DNS: DNSSEC outside and not inside

Mark Andrews Mark_Andrews at isc.org
Wed Sep 3 04:13:33 UTC 2008


> At 13:46 +1000 9/3/08, Mark Andrews wrote:
> 
> >	You would have to touch the control plane to support a "null
> >	key" as the DS records from the parent won't match the "null
> >	key".
> 
> Diving way too deeply into a solution at this point (forgetting for a 
> moment that isn't the protocol defining mail list, this one 
> operations list)...no, it isn't necessary.
> 
> One could potentially have a DNSKEY set including the key that 
> corresponds to the DS at the parent and then another key of the same 
> algorithm designating that the algorithm is not used for signing the 
> zone.
> 
> That would be one way to avoid the control plane and keep this data driven.

	And open the outside up to a simple downgrade attack.  The
	DS of a "null key" is simple to identify, so too is the
	construction of a "null key" as there is no private part.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list