[dns-operations] Split DNS: DNSSEC outside and not inside
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 3 04:13:33 UTC 2008
> At 13:46 +1000 9/3/08, Mark Andrews wrote:
>
> > You would have to touch the control plane to support a "null
> > key" as the DS records from the parent won't match the "null
> > key".
>
> Diving way too deeply into a solution at this point (forgetting for a
> moment that isn't the protocol defining mail list, this one
> operations list)...no, it isn't necessary.
>
> One could potentially have a DNSKEY set including the key that
> corresponds to the DS at the parent and then another key of the same
> algorithm designating that the algorithm is not used for signing the
> zone.
>
> That would be one way to avoid the control plane and keep this data driven.
And open the outside up to a simple downgrade attack. The
DS of a "null key" is simple to identify, so too is the
construction of a "null key" as there is no private part.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list