It could, but: 1. An attacker could strip the SVCB record and its RRSIG, resulting in an ordinary delegation response that would be accepted and used without encryption. 2. This is a child-side record, and so presumably also a child-side RRSIG, but the validator may not yet have the child's DNSKEYs. Fetching those keys (in order to validate the transport configuration) would create additional delay before the query could be sent. 3. The parent-side logic to serve this RRSIG, and the coordination channels to get it there, seem complicated. Assuming it is signed by the ZSK, this also breaks a usual rule of not having parent-side content depend on the child ZSK.
--Ben ________________________________ From: Joe Abley <[email protected]> Sent: Tuesday, June 24, 2025 3:29 PM To: Ben Schwartz <[email protected]> Cc: Johan Stenstam <[email protected]>; Working Group DNSOP <[email protected]>; [email protected] <[email protected]>; Erik Bergström <[email protected]>; Leon Fernandez <[email protected]> Subject: Re: [DNSOP] Re: Proposal for opportunistic transport signaling from authoritative servers On 24 Jun 2025, at 20: 43, Ben Schwartz <bemasc=40meta. com@ dmarc. ietf. org> wrote: Apart from that minor issue, I don't object to this signaling, but I don't think it is very valuable due to the lack of authentication. Is there a reason On 24 Jun 2025, at 20:43, Ben Schwartz <[email protected]> wrote: Apart from that minor issue, I don't object to this signaling, but I don't think it is very valuable due to the lack of authentication. Is there a reason why the SVCB RRSet couldn't be packaged with an RRSIG? Joe
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
