[DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]

[Peter van Dijk <peter.van.dijk@powerdns.com>]

Hello dnsop,

early 2019, Manu of Facebook proposed the DSPKI record - a parent-side-
of-the-delegation record to hold a pin for authenticating child-side
DoT servers. This would be undeployable.

A few months ago, Tim April proposed NS2/NS2T, which looks like it
would clearly benefit from the ability to publish signed data on the
parent side of a delegation. This ability seems unlikely today.

Also a few months ago, myself and a few others proposed shoehorning
certificate hashes into the DS record. The shoehorning (and perhaps
some other aspects of that proposal) were not well received by
everybody.

When talking to Petr Spacek about this, he came up with the following:
-if-, long enough ago, besides DS, a range of RRtype numbers would have
been reserved with the same processing rules, i.e. these types live in
the -parent- and not on the -child-, then both DSPKI and NS2T could
become parent side records through the simple act of requesting an
IANA allocation from that special range.

Sadly, it is not five years ago today. It is today today. So, here is a
draft that requests that IANA reserves such a range. Knowledge of that
range and its DS-like handling can then end up in implementations over
time. When that has happened at some useful scale, we could do a DSPKI
experiment. NS2T could explore what benefits come from the ability to
publish in the parent. And, nobody will have to shoehorn hashed TLS
certificates into DS records.

This draft is a bit rough; I trust it, and this email, have brought the
idea across. Editorial comments are welcome via GitHub (link is in the
draft), or via the WG of course.

Looking forward to your thoughts on this.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

-------- Forwarded Message --------
From: internet-drafts@ietf.org
To: Petr Spacek <petr.spacek@nic.cz>, Peter van Dijk <
peter.van.dijk@powerdns.com>
Subject: [EXT] New Version Notification for draft-peetterr-dnsop-
parent-side-auth-types-00.txt
Date: Thu, 24 Sep 2020 10:49:03 -0700

A new version of I-D, draft-peetterr-dnsop-parent-side-auth-types-00.txt
has been successfully submitted by Peter van Dijk and posted to the
IETF repository.

Name:		draft-peetterr-dnsop-parent-side-auth-types
Revision:	00
Title:		Parent-side authoritative DNS records for enhanced delegation
Document date:	2020-09-24
Group:		Individual Submission
Pages:		5
URL:            https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt
Status:         https://datatracker.ietf.org/doc/draft-peetterr-dnsop-parent-side-auth-types/
Html:           https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.html
Htmlized:       https://tools.ietf.org/html/draft-peetterr-dnsop-parent-side-auth-types-00


Abstract:
   A DNS RRtype numeric range that behaves like DS is reserved.  This
   means: being authoritative on the parent side of a delegation; being
   signed by the parent; being provided along with delegations by the
   parent.  If this document had become an RFC five years ago, deploying
   new types (along the lines of NS2/NS2T, DSPKI or various other
   imagined things like DNS ('signed delegation NS')) would be easier to
   deploy and experiment with today.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat