From e173e2a050caa21725b588757becb84b3c56460a Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 8 Apr 2016 17:33:08 +0200 Subject: Get submitting and storing working. Add README.dnssec. Do start the dnssecport server. Add config option 'trust_anchors_file'. Pass correct data to validation server. Change URL for submitting to match draft (add-rr-chain). Make add-rr-chain take a base64-encoded string of RR's instead of JSON list with one RR per entry. TODO: Make the python tools know enough DNS to be able to verify SCT's and such (i.e. 'make tests'). --- README-dnssec.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 README-dnssec.md (limited to 'README-dnssec.md') diff --git a/README-dnssec.md b/README-dnssec.md new file mode 100644 index 0000000..c0da6b1 --- /dev/null +++ b/README-dnssec.md @@ -0,0 +1,37 @@ +# Notes on DNSSEC Transparency + +## Protocol + +DNSSEC Transparency is implemented as described in +draft-zhang-trans-ct-dnssec-03 with the following changes. + +- Submissions MUST include RRSIG RR's for all DS and DNSKEY RR's + + - Log implementation is made easier since the log doesn't have to + make DNS queries. + + - The system as a whole is made more predictable by including data + from the DNS from a single vantage point. + +- Base URL is changed from + https:///ct/v1/ + to + https:///dt/v1/ + + - No risk for conflict with CT's namespace. + - The type of service is obvious from looking at the URL. + +- Submission format is changed from an array of base64-encoded RR's to + a single string object with a base64-encoded RRset. Note that the + order of the first two records is still important -- the first RR in + the RRset MUST be the DS record under submission, the next record + MUST be the RRSIG covering the DS record. + + - The length of an RR is encoded in the data so RR's don't need the + framing provided by a JSON array. + +## Status + +## Open issues + +- TLS vectors, should we really use them? -- cgit v1.1