[NCAP-Discuss] NCF phases x DNSSEC

[Thomas, Matthew]

NCAP DG,

Please see the note from Rubens.  What is the groups thoughts on requiring or not requiring DNSSEC over the four phases?  

My own opinion is that DNSSEC shouldn't be required or used throughout the whole assessment process under the "KISS" design principle.  Maybe I'm wrong....but let's get some discussion going on this!

Matt




On 09.11.23, 01:09, "NCAP-Discuss on behalf of Rubens Kuhl via NCAP-Discuss" <ncap-discuss-bounces at icann.org <mailto:ncap-discuss-bounces at icann.org> on behalf of ncap-discuss at icann.org <mailto:ncap-discuss at icann.org>> wrote:




Hi folks.


I wonder what’s the group take on whether each phase of the framework disallows DNSSEC, is neutral to DNSSEC or requires DNSSEC.
Let’s start with what we know, that phase 1 doesn’t allow DNSSEC (in order to avoid NSEC Aggressive Caching), and that phase 4 - considering its intrusiveness - requires DNSSEC (this was never discussed and is just my guess for now) in order to avoid (at least for the 50% of validating resolver queries out there) misdirection to a threat actor controlled honeypot.


With that in mind, what would be the requirement (or not) for phase 2 (response with private IP address)?
( ) Can’t have
( ) Better not to have
( ) Could have, not required
( ) Should have
( ) Must have


Keep going: what would be the requirement (or not) for phase 3 (reset-all public IP )?
( ) Can’t have
( ) Better not to have
( ) Could have, not required
( ) Should have
( ) Must have


My take is that phase 3 shares similar threat models with phase 4 and the must have DNSSEC applies there too.
On phase 2, it would be “not required” to me.


What’s the sentiment in the group for DNSSEC requirements, phase-wise ?




Rubens