[DNSSEC-Transparency] Duplicates and canonicalisation
14 Apr
2016
14 Apr
'16
6:08 p.m.
On Thu, 14 Apr 2016, Linus Nordberg wrote:
| Is the absence of a DS also stored in the log? I.e.
the NSEC(3) proof?
No. That is not in the draft and was not something we discussed at the
DNSSEC Trans meeting in Yokohama as far as I can recall.
I think we did discuss it and said it was needed :)
While it is not very interesting for domains that were never signed, it
is of great interest to those that have had a DS in the past, as it
might be an attack by the parent to turn the child into insecure mode,
so they can then spoof any record of the child.
Interest in this has been expressed on this list
before [1] but no
concrete suggestions on how this should be done have been presented so
far.
It would require the two NSEC(3) records that prove this, but their
chain.
Paul