From cde186313b20e46be41736c9ac506674fa4f2d23 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Sat, 16 Jul 2016 11:39:39 +0200 Subject: Docu updates. --- README-dnssec.md | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/README-dnssec.md b/README-dnssec.md index c0da6b1..62960de 100644 --- a/README-dnssec.md +++ b/README-dnssec.md @@ -1,5 +1,12 @@ # Notes on DNSSEC Transparency +This file contains notes about the implementation of a CT-like log for +a DNSSEC Transparency experiment, called 'dotlfish'. + +## Status, implementation + +TBD + ## Protocol DNSSEC Transparency is implemented as described in @@ -13,24 +20,44 @@ draft-zhang-trans-ct-dnssec-03 with the following changes. - The system as a whole is made more predictable by including data from the DNS from a single vantage point. -- Base URL is changed from - https:///ct/v1/ - to - https:///dt/v1/ +- Base URL has changed + + From https:///ct/v1/ + to https:///dt/v1/ - No risk for conflict with CT's namespace. - The type of service is obvious from looking at the URL. - Submission format is changed from an array of base64-encoded RR's to - a single string object with a base64-encoded RRset. Note that the - order of the first two records is still important -- the first RR in - the RRset MUST be the DS record under submission, the next record - MUST be the RRSIG covering the DS record. + a single string with base64-encoded RR's. Note that the order of the + first two records is important -- the first RR MUST be the DS record + under submission, the next record MUST be the RRSIG covering the DS + record. - The length of an RR is encoded in the data so RR's don't need the framing provided by a JSON array. -## Status +## Notes + +### What is a duplicate? + +The draft is not precise on the question of what comprises an entry +with regards to duplicates. Here's what dotlfish does. + +- Two submissons, A and B, are considered equal iff all of the + following is true + + - the canonicalised DS RR in A and B are bitwise equal + + - the number of DNSKEY RR's in A and B are equal + + - all DNSKEY RR's in A and B are bitwise equal + +- Accept up to 12 duplicates per day. + +### Logging NSEC3 + +TBD ## Open issues -- cgit v1.1