[dns-operations] any registries require DNSKEY not DS?

Mark Andrews marka at isc.org
Fri Apr 17 22:48:08 UTC 2020 


> On 18 Apr 2020, at 08:00, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Fri, Apr 17, 2020 at 01:45:02PM -0700, Brian Dickson wrote:
> 
>> Would the method have potentially been to have GLUEA and GLUEAAAA
>> records rather than effectively overloading the A/AAAA status
>> (authoritative vs not)?
>> 
>> And then all of the new types that live only in the parent, could have
>> been signed.
> 
> Probably something like that, or perhaps still with host names.
> 
>> I'm guessing it's way to late to start doing that now, without rev'ing
>> all of DNS to v2.
> 
> Well it need not be a flag day, provided the parent zone is still
> willing to publish legacy unsigned glue along with the new signed
> delegation records, newer clients would prefer the new records and
> older clients would use the legacy glue.
> 
> Support for the new delegation records can be signalled via a
> (new) bit in the parent zone DNSKEY flags.  This would avoid
> having to pay the cost of asking for them in zones that don't
> yet support the new signed delegation RRs.
> 
> These would also reduce opportunities for DoS via the IP
> fragmentation attacks, ... because delegation records would
> no longer be subject to forgery.

Or the TLD operators could turn off IPv4 and go IPv6 only with
non counter fragmentation ID generation enabled.  That would
stop fragmentation reassembly attempts succeeding.  I’m not
sure of the state of play with id generation on Linux boxes but
BSD boxes can definitely meet the criteria.

Or we could adopt the well known TSIG approach and defeat
fragmentation attacks that way.  This works for both IPv4 and IPv6.

> The key question is whether parent zone operators (e.g. TLDs)
> can be convinced that this is a good idea.  They would now
> need to sign all the delegations, not just the secure ones,
> so the immediate audience for this would be the TLDs where
> say ~25% or more of the delegations are already signed:
> 
>    .nl, .se, .cz, .br, ...
> 
> and signing everything would not be a dramatic new cost.
> 
> --
>    Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list