1 files changed, 37 insertions, 0 deletions

diff --git a/README-dnssec.md b/README-dnssec.md
new file mode 100644
index 0000000..c0da6b1
--- /dev/null
+++ b/README-dnssec.md
@@ -0,0 +1,37 @@
+# Notes on DNSSEC Transparency
+
+## Protocol
+
+DNSSEC Transparency is implemented as described in
+draft-zhang-trans-ct-dnssec-03 with the following changes.
+
+- Submissions MUST include RRSIG RR's for all DS and DNSKEY RR's
+
+  - Log implementation is made easier since the log doesn't have to
+    make DNS queries.
+
+  - The system as a whole is made more predictable by including data
+    from the DNS from a single vantage point.
+
+- Base URL is changed from
+    https://<log server>/ct/v1/
+  to
+    https://<log server>/dt/v1/
+
+  - No risk for conflict with CT's namespace.
+  - The type of service is obvious from looking at the URL. 
+
+- Submission format is changed from an array of base64-encoded RR's to
+  a single string object with a base64-encoded RRset. Note that the
+  order of the first two records is still important -- the first RR in
+  the RRset MUST be the DS record under submission, the next record
+  MUST be the RRSIG covering the DS record.
+
+  - The length of an RR is encoded in the data so RR's don't need the
+    framing provided by a JSON array.
+
+## Status
+
+## Open issues
+
+- TLS vectors, should we really use them?