diff options
| author | Linus Nordberg <linus@nordu.net> | 2016-07-16 11:39:39 +0200 |
|---|---|---|
| committer | Linus Nordberg <linus@nordu.net> | 2016-07-16 11:39:39 +0200 |
| commit | cde186313b20e46be41736c9ac506674fa4f2d23 (patch) | |
| tree | 4fd2de8a8746046320a3e93c13248aba2aef5ead | |
| parent | 49d8ed9587b1363f2feddc39f31442fd292798f2 (diff) | |
Docu updates.
| -rw-r--r-- | README-dnssec.md | 45 |
1 files changed, 36 insertions, 9 deletions
diff --git a/README-dnssec.md b/README-dnssec.md index c0da6b1..62960de 100644 --- a/README-dnssec.md +++ b/README-dnssec.md @@ -1,5 +1,12 @@ # Notes on DNSSEC Transparency +This file contains notes about the implementation of a CT-like log for +a DNSSEC Transparency experiment, called 'dotlfish'. + +## Status, implementation + +TBD + ## Protocol DNSSEC Transparency is implemented as described in @@ -13,24 +20,44 @@ draft-zhang-trans-ct-dnssec-03 with the following changes. - The system as a whole is made more predictable by including data from the DNS from a single vantage point. -- Base URL is changed from - https://<log server>/ct/v1/ - to - https://<log server>/dt/v1/ +- Base URL has changed + + From https://<log server>/ct/v1/ + to https://<log server>/dt/v1/ - No risk for conflict with CT's namespace. - The type of service is obvious from looking at the URL. - Submission format is changed from an array of base64-encoded RR's to - a single string object with a base64-encoded RRset. Note that the - order of the first two records is still important -- the first RR in - the RRset MUST be the DS record under submission, the next record - MUST be the RRSIG covering the DS record. + a single string with base64-encoded RR's. Note that the order of the + first two records is important -- the first RR MUST be the DS record + under submission, the next record MUST be the RRSIG covering the DS + record. - The length of an RR is encoded in the data so RR's don't need the framing provided by a JSON array. -## Status +## Notes + +### What is a duplicate? + +The draft is not precise on the question of what comprises an entry +with regards to duplicates. Here's what dotlfish does. + +- Two submissons, A and B, are considered equal iff all of the + following is true + + - the canonicalised DS RR in A and B are bitwise equal + + - the number of DNSKEY RR's in A and B are equal + + - all DNSKEY RR's in A and B are bitwise equal + +- Accept up to 12 duplicates per day. + +### Logging NSEC3 + +TBD ## Open issues |