[DNSSEC-Transparency] Logging of DS removal

Jan VĨelak jan.vcelak at nic.cz
Wed Feb 3 18:37:22 CET 2016


Hello list.

On 1.2.2016 18:19, Linus Nordberg wrote:
> In an off-list conversation, it's been decided that logging of _removal_
> of DS RRs would be useful. If those understanding why this should be
> done could explain what attack(s) this will detect, that'd be great.

I think that this is not only useful but essential. An evil parent zone
can decide to forge an arbitrary record in it's child zone. To make it
possible, the parent can (1) change the trust path or (2) remove the DS
record rendering the child zone insecure.

In the first case, the attempt will be hopefully logged by the CT.

In the second case, the attempt will go unnoticed to CT. And current
client applications don't indicate whether the zone is DNSSEC-secure or not.

> The next question is how this should be done in practice, in our current
> experiment. IIRC we decided in Yokohama that Paul would hack up an
> unbound to submit DS records it stumbled over, together with a chain of
> keys and signatures up to a trust anchor that the log had configured.
> I'm going to show my ignorance and ask how this would be detected and
> expressed while pointing out that "duh, NSEC*" is _not_ enough for me to
> understand. :) I do accept terse descriptions and pointers to relevant
> litterature though!

This is the easiest way to start.

Jan


More information about the DNSSEC-Transparency mailing list