In message <20170816230917.4475.qm...@ary.lan>, "John Levine" writes: > In article <20170816071920.ba2c98287...@rock.dv.isc.org> you write: > >> A colleague says "If TLDs allowed UPDATE messages to be processed most > >> of the issues with DNSSEC would go away. At the moment we have a whole > >> series of kludges because people are scared of signed update messages." > > Someone is wildly overoptimistic. > > The problem I run into over and over again is that I run someone's DNS > and other services, but I am not the registrant and I am not the > registrar, I just run the DNS. Either I have to walk the registrant > through the process of installing DNSSEC keys, or she has to give me > her registrar account password, neither of which scales. Slightly > more automatic processing of updates for which I do not have the > credentials will not help.
Or you can have credentials to allow the hoster to update the DS records alone. UPDATE allows for fine grained credentials. Named has had fine grain update support for over a decade now. You can specify keys that can do everything and you can specify keys that can just update a single type. This isn't hard to do. The DNS hoster gives the registrant the public key they use to update DS records. This is passed to the registrar which uses it to verify UPDATE requests that change the DS records. You can do similar with TSIG but that is a shared secret between three parties. This is like using master keys and more specific keys. The only reason this isn't done today is that we aren't using UPDATE and are forcing all the transactions through a web interface. Mark > R's, > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
