[dns-operations] any registries require DNSKEY not DS?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Apr 17 22:00:39 UTC 2020

On Fri, Apr 17, 2020 at 01:45:02PM -0700, Brian Dickson wrote:

> Would the method have potentially been to have GLUEA and GLUEAAAA
> records rather than effectively overloading the A/AAAA status
> (authoritative vs not)?
> And then all of the new types that live only in the parent, could have
> been signed.

Probably something like that, or perhaps still with host names.

> I'm guessing it's way to late to start doing that now, without rev'ing
> all of DNS to v2.

Well it need not be a flag day, provided the parent zone is still
willing to publish legacy unsigned glue along with the new signed
delegation records, newer clients would prefer the new records and
older clients would use the legacy glue.

Support for the new delegation records can be signalled via a
(new) bit in the parent zone DNSKEY flags.  This would avoid
having to pay the cost of asking for them in zones that don't
yet support the new signed delegation RRs.

These would also reduce opportunities for DoS via the IP
fragmentation attacks, ... because delegation records would
no longer be subject to forgery.

The key question is whether parent zone operators (e.g. TLDs)
can be convinced that this is a good idea.  They would now
need to sign all the delegations, not just the secure ones,
so the immediate audience for this would be the TLDs where
say ~25% or more of the delegations are already signed:

    .nl, .se, .cz, .br, ...

and signing everything would not be a dramatic new cost.


More information about the dns-operations mailing list