synthetic DNSSEC for labels within .onion

Similar to our discussion over the last month about synthetic CAs for *.onion it occurs to me that we could do a similar thing for DNSSEC, where we can synthesize a DNSKEY or DS record for $foo.onion from the $foo public key.

Obviously, there's no typical way to get a DNSSEC record from within *.onion, as there will be no NS records. But DNSSEC records could be discovered by some alternate means (or we could propose a standard way that an onion service could provide its own DNS RRs). Once a DNSSEC-capable client has the relevant RRs in hand, there's a question of how it can chain back to the root.

So we could provide guidance for a DNSSEC-capable resolver should chain queries within the .onion domain.

I raise this because of discussion about DNSSEC and special domains in the dnsop session at IETF 115 today.

I don't have a specific design for how to do this right now, but i would be happy to talk it over further.

(obviously, this wouldn't be particularly useful for A or AAAA records, as there is no point in trying to resolve IP addresses within .onion, but an increasing amount of information is being loaded into the DNS, and this offers a way that an onion service could provide a cryptographically strong guarantee about such material)