[DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

Paul Wouters <paul@nohats.ca> Mon, 19 March 2018 12:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44C041270AE; Mon, 19 Mar 2018 05:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-P5259Nx-Ri; Mon, 19 Mar 2018 05:22:09 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54BD7124B17; Mon, 19 Mar 2018 05:22:09 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 404Zv319mgz39j; Mon, 19 Mar 2018 13:22:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1521462127; bh=OIEnxX8eu1BmLGZnD8GS4MF4P2CRfRBXJDIScGYHmSQ=; h=Date:From:To:cc:Subject; b=cMz4pBXyVfigjL6/wLI8Qci99SBZD/xhabHI1fU68e8lb26XxWELLkoxi3zzASPCR hdP4ElBUfJhVJP7Khj6gDOEh98O8xvbAKiMK+75TjSYY34u3syG9POB7/Y9AbJsNnY nNTwdRzL266UYJqeGK6xhzGsLampUzTeyxSjPYR0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id C7Ct1px-HUi3; Mon, 19 Mar 2018 13:22:05 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 19 Mar 2018 13:22:04 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AC111C98; Mon, 19 Mar 2018 08:22:03 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca AC111C98
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A2E184023308; Mon, 19 Mar 2018 08:22:03 -0400 (EDT)
Date: Mon, 19 Mar 2018 08:22:03 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>, Trans <trans@ietf.org>
cc: Liang Xia <frank.xialiang@huawei.com>, Wes Hardaker <wes@hardakers.net>
Message-ID: <alpine.LRH.2.21.1803190813150.31565@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TK-mJ_lwGhEDvwnRi9qBV58bXK4>
Subject: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 12:22:11 -0000

We have just submitted a draft aimed at increasing the security of the DNSSEC
with respect to the power that parental zones have over their children.

The aim of this draft is twofold:

1) Allow zones to publicly commit to being delegation_only zones.

The aim here is to counter the argument that the root key and TLD
keys are all powerful and under government control, and can therefor
never be trusted.

2) Allow the creation of DNSSEC transparency logs

With delegation_only zones, we can limit DNSSEC transparency to only
log DS and DNSKEY and their proof of non-existenc. While this does not
prevent all rogue parental data, it does prevent it for those records
that matter (TLSA, SMIMEA, OPENPGPKEY).

Please have mercy on our souls,

Paul, Frank and Wes


A new version of I-D, draft-pwouters-powerbind-00.txt
has been successfully submitted by Paul Wouters and posted to the
IETF repository.

Name:		draft-pwouters-powerbind
Revision:	00
Title:		The Delegation_Only DNSKEY flag
Document date:	2018-03-19
Group:		Individual Submission
Pages:		7
URL:            https://www.ietf.org/internet-drafts/draft-pwouters-powerbind-00.txt
Status:         https://datatracker.ietf.org/doc/draft-pwouters-powerbind/
Htmlized:       https://tools.ietf.org/html/draft-pwouters-powerbind-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-pwouters-powerbind


Abstract:
    This document introduces a new DNSKEY flag called DELEGATION_ONLY
    that indicates that the particular zone will never sign zone data
    across a label.  That is, every dot is considered a zone cut and must
    have its own (signed) delegation.



Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat