[Cryptography] Certificates and PKI
Viktor Dukhovni
cryptography at dukhovni.org
Mon Dec 29 13:45:48 EST 2014
On Mon, Dec 29, 2014 at 03:40:00PM +0000, Ben Laurie wrote:
> > m9ktr713mv89v98bat896geo4it3stbd.example. NSEC3 1 0 1 BEEF M9KTR713MV89V98BAT896GEO4IT3STBF
> >
> > From such a domain served by a DNSSEC hosting provider with many
> > client zones one can elicit an essentially unlimited number of
> > signed responses.
>
> OK. But why would we care for DT (i.e. DNSSEC transparency) - all we
> care about, surely, is records that can influence the beholder's view
> of the domain key(s)?
Denial of existence of TLSA RRs is significant. As is denial of
existence of NS/DS records which might allow the parent to serve
a child zone directly.
I am not saying the issue a show-stopper, just that it is not
obvious exactly which records one can safely avoid logging.
--
Viktor.
More information about the cryptography
mailing list