[DNSSEC-Transparency] security goals
linus at nordu.net
Thu Feb 4 14:45:40 CET 2016
Jan Včelak <jan.vcelak at nic.cz> wrote
Wed, 3 Feb 2016 18:57:49 +0100:
| Hello everyone.
| I recall the rather harsh discussions in Yokohoma. And now during the
| off-the-list discussions I had an impression that we aren't on the same
| page as for the goals of this effort.
| Can we clearly formulate what are the security goals of DNSSEC transparency?
| My concern is that not all Certificate Transparency goals will be
| applicable to DNSSEC. And I want to be sure that the result of our
| effort will be useful.
The controversy at the meeting flew above my head so I won't comment on
that. Here's my understanding of what was decided at the meeting
regarding the experiment with logging DS records.
- NORDUnet is setting up a CT-like log that accepts DS records (for a
small number of zones) which are accompanied by a trust chain leading to
the root. The log stores the DS posts and the trust chain. The zones in
question are root and .ca.
- Paul submits DS posts to the above mentioned log.
Since then, NIC.cz and IIS (.se), have both expressed interest in
helping out with operation of the log. I suggest that .cz and .se are
added to the list of zones that the log accepts DS posts for.
The question of how a DNSSEC Transparency system should work is, despite
the name of this list, not _directly_ on the agenda even if it's closely
related. In particular, standardisation efforts should probably be
discussed over at the IETF TRANS wg list. I think that formulating the
security goals of DNSSEC Transparency belong there too.
More information about the DNSSEC-Transparency