[DNSSEC-Transparency] Logging of DS removal

Linus Nordberg linus at nordu.net
Mon Feb 1 18:19:02 CET 2016


In an off-list conversation, it's been decided that logging of _removal_
of DS RRs would be useful. If those understanding why this should be
done could explain what attack(s) this will detect, that'd be great.

The next question is how this should be done in practice, in our current
experiment. IIRC we decided in Yokohama that Paul would hack up an
unbound to submit DS records it stumbled over, together with a chain of
keys and signatures up to a trust anchor that the log had configured.
I'm going to show my ignorance and ask how this would be detected and
expressed while pointing out that "duh, NSEC*" is _not_ enough for me to
understand. :) I do accept terse descriptions and pointers to relevant
litterature though!


More information about the DNSSEC-Transparency mailing list