summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2016-07-16 11:39:39 +0200
committerLinus Nordberg <linus@nordu.net>2016-07-16 11:39:39 +0200
commitcde186313b20e46be41736c9ac506674fa4f2d23 (patch)
tree4fd2de8a8746046320a3e93c13248aba2aef5ead
parent49d8ed9587b1363f2feddc39f31442fd292798f2 (diff)
Docu updates.
-rw-r--r--README-dnssec.md45
1 files changed, 36 insertions, 9 deletions
diff --git a/README-dnssec.md b/README-dnssec.md
index c0da6b1..62960de 100644
--- a/README-dnssec.md
+++ b/README-dnssec.md
@@ -1,5 +1,12 @@
# Notes on DNSSEC Transparency
+This file contains notes about the implementation of a CT-like log for
+a DNSSEC Transparency experiment, called 'dotlfish'.
+
+## Status, implementation
+
+TBD
+
## Protocol
DNSSEC Transparency is implemented as described in
@@ -13,24 +20,44 @@ draft-zhang-trans-ct-dnssec-03 with the following changes.
- The system as a whole is made more predictable by including data
from the DNS from a single vantage point.
-- Base URL is changed from
- https://<log server>/ct/v1/
- to
- https://<log server>/dt/v1/
+- Base URL has changed
+
+ From https://<log server>/ct/v1/
+ to https://<log server>/dt/v1/
- No risk for conflict with CT's namespace.
- The type of service is obvious from looking at the URL.
- Submission format is changed from an array of base64-encoded RR's to
- a single string object with a base64-encoded RRset. Note that the
- order of the first two records is still important -- the first RR in
- the RRset MUST be the DS record under submission, the next record
- MUST be the RRSIG covering the DS record.
+ a single string with base64-encoded RR's. Note that the order of the
+ first two records is important -- the first RR MUST be the DS record
+ under submission, the next record MUST be the RRSIG covering the DS
+ record.
- The length of an RR is encoded in the data so RR's don't need the
framing provided by a JSON array.
-## Status
+## Notes
+
+### What is a duplicate?
+
+The draft is not precise on the question of what comprises an entry
+with regards to duplicates. Here's what dotlfish does.
+
+- Two submissons, A and B, are considered equal iff all of the
+ following is true
+
+ - the canonicalised DS RR in A and B are bitwise equal
+
+ - the number of DNSKEY RR's in A and B are equal
+
+ - all DNSKEY RR's in A and B are bitwise equal
+
+- Accept up to 12 duplicates per day.
+
+### Logging NSEC3
+
+TBD
## Open issues