[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Mon Dec 29 13:45:48 EST 2014

On Mon, Dec 29, 2014 at 03:40:00PM +0000, Ben Laurie wrote:

> >     m9ktr713mv89v98bat896geo4it3stbd.example. NSEC3 1 0 1 BEEF M9KTR713MV89V98BAT896GEO4IT3STBF
> >
> > From such a domain served by a DNSSEC hosting provider with many
> > client zones one can elicit an essentially unlimited number of
> > signed responses.
> OK. But why would we care for DT (i.e. DNSSEC transparency) - all we
> care about, surely, is records that can influence the beholder's view
> of the domain key(s)?

Denial of existence of TLSA RRs is significant.  As is denial of
existence of NS/DS records which might allow the parent to serve
a child zone directly.

I am not saying the issue a show-stopper, just that it is not
obvious exactly which records one can safely avoid logging.


More information about the cryptography mailing list