blob: c0da6b11e72dbd2efd0a0dfee1054d212ebef9d8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# Notes on DNSSEC Transparency
## Protocol
DNSSEC Transparency is implemented as described in
draft-zhang-trans-ct-dnssec-03 with the following changes.
- Submissions MUST include RRSIG RR's for all DS and DNSKEY RR's
- Log implementation is made easier since the log doesn't have to
make DNS queries.
- The system as a whole is made more predictable by including data
from the DNS from a single vantage point.
- Base URL is changed from
https://<log server>/ct/v1/
to
https://<log server>/dt/v1/
- No risk for conflict with CT's namespace.
- The type of service is obvious from looking at the URL.
- Submission format is changed from an array of base64-encoded RR's to
a single string object with a base64-encoded RRset. Note that the
order of the first two records is still important -- the first RR in
the RRset MUST be the DS record under submission, the next record
MUST be the RRSIG covering the DS record.
- The length of an RR is encoded in the data so RR's don't need the
framing provided by a JSON array.
## Status
## Open issues
- TLS vectors, should we really use them?
|
