[DNSSEC-Transparency] security goals

Jan Včelak <jan.vcelak at nic.cz> wrote Wed, 3 Feb 2016 18:57:49 +0100: | Hello everyone. | | I recall the rather harsh discussions in Yokohoma. And now during the | off-the-list discussions I had an impression that we aren't on the same | page as for the goals of this effort. | | Can we clearly formulate what are the security goals of DNSSEC transparency? | | My concern is that not all Certificate Transparency goals will be | applicable to DNSSEC. And I want to be sure that the result of our | effort will be useful. The controversy at the meeting flew above my head so I won't comment on that. Here's my understanding of what was decided at the meeting regarding the experiment with logging DS records. - NORDUnet is setting up a CT-like log that accepts DS records (for a small number of zones) which are accompanied by a trust chain leading to the root. The log stores the DS posts and the trust chain. The zones in question are root and .ca. - Paul submits DS posts to the above mentioned log. Since then, NIC.cz and IIS (.se), have both expressed interest in helping out with operation of the log. I suggest that .cz and .se are added to the list of zones that the log accepts DS posts for. The question of how a DNSSEC Transparency system should work is, despite the name of this list, not _directly_ on the agenda even if it's closely related. In particular, standardisation efforts should probably be discussed over at the IETF TRANS wg list. I think that formulating the security goals of DNSSEC Transparency belong there too.