[NCAP-Discuss] NCF phases x DNSSEC

Thomas, Matthew mthomas at verisign.com
Thu Dec 7 08:08:33 UTC 2023 

Thanks Rubens.

Any other group comments?  Otherwise, I propose this is memorialized by the writing staff into the document.


Matt

On 06.12.23, 22:23, "NCAP-Discuss on behalf of Rubens Kuhl via NCAP-Discuss" <ncap-discuss-bounces at icann.org <mailto:ncap-discuss-bounces at icann.org> on behalf of ncap-discuss at icann.org <mailto:ncap-discuss at icann.org>> wrote:




Matt,


Reflecting on that, I like your proposal. Collisions that are already happening do not have DNSSEC validation, unless someone uses old DNS software with TLV validation and an alternative DNSSEC chain.


So while we already established as DNSSEC harmful to tool #1, so in this case is a MUST NOT, we could establish a SHOULD NOT for all tools from 2 to 4. And forecast root zone change rate based on “no DNSSEC needed”.




Rubens








> Em 30 de nov. de 2023, à(s) 05:59, Thomas, Matthew <mthomas at verisign.com <mailto:mthomas at verisign.com>> escreveu:
> 
> NCAP DG,
> 
> Please see the note from Rubens. What is the groups thoughts on requiring or not requiring DNSSEC over the four phases?
> 
> My own opinion is that DNSSEC shouldn't be required or used throughout the whole assessment process under the "KISS" design principle. Maybe I'm wrong....but let's get some discussion going on this!
> 
> Matt
> 
> 
> 
> 
> On 09.11.23, 01:09, "NCAP-Discuss on behalf of Rubens Kuhl via NCAP-Discuss" <ncap-discuss-bounces at icann.org <mailto:ncap-discuss-bounces at icann.org> <mailto:ncap-discuss-bounces at icann.org <mailto:ncap-discuss-bounces at icann.org>> on behalf of ncap-discuss at icann.org <mailto:ncap-discuss at icann.org> <mailto:ncap-discuss at icann.org <mailto:ncap-discuss at icann.org>>> wrote:
> 
> 
> 
> 
> Hi folks.
> 
> 
> I wonder what’s the group take on whether each phase of the framework disallows DNSSEC, is neutral to DNSSEC or requires DNSSEC.
> Let’s start with what we know, that phase 1 doesn’t allow DNSSEC (in order to avoid NSEC Aggressive Caching), and that phase 4 - considering its intrusiveness - requires DNSSEC (this was never discussed and is just my guess for now) in order to avoid (at least for the 50% of validating resolver queries out there) misdirection to a threat actor controlled honeypot.
> 
> 
> With that in mind, what would be the requirement (or not) for phase 2 (response with private IP address)?
> ( ) Can’t have
> ( ) Better not to have
> ( ) Could have, not required
> ( ) Should have
> ( ) Must have
> 
> 
> Keep going: what would be the requirement (or not) for phase 3 (reset-all public IP )?
> ( ) Can’t have
> ( ) Better not to have
> ( ) Could have, not required
> ( ) Should have
> ( ) Must have
> 
> 
> My take is that phase 3 shares similar threat models with phase 4 and the must have DNSSEC applies there too.
> On phase 2, it would be “not required” to me.
> 
> 
> What’s the sentiment in the group for DNSSEC requirements, phase-wise ?
> 
> 
> 
> 
> Rubens
> 
> 
> 
> 
>

More information about the NCAP-Discuss mailing list