On 16 August 2017 at 19:09, John Levine <jo...@taugh.com> wrote: > In article <20170816071920.ba2c98287...@rock.dv.isc.org> you write: > >> A colleague says "If TLDs allowed UPDATE messages to be processed most > >> of the issues with DNSSEC would go away. At the moment we have a whole > >> series of kludges because people are scared of signed update messages." > > Someone is wildly overoptimistic. > > The problem I run into over and over again is that I run someone's DNS > and other services, but I am not the registrant and I am not the > registrar, I just run the DNS. Either I have to walk the registrant > through the process of installing DNSSEC keys, or she has to give me > her registrar account password, neither of which scales. Slightly > more automatic processing of updates for which I do not have the > credentials will not help. > > Have a look at: < https://datatracker.ietf.org/doc/draft-ietf-regext-dnsoperator-to-rrr-protocol/ >
It allows a registrar (or a registry in some ccTLD environments) to do CDS/CDNSKEY without having to constantly scan their registrants' name servers, and provides some advice on how to safely bootstrap DNSSEC using CDS/CDNSKEY. There's currently a registrar implementation at Gandi, enabled for the TLDs for which they do DNSSEC (I believe it's beta, so you have to speak to their support to find the API URI), and registry implementations at CIRA (.ca) and APNIC (for their reverse zones). The CZ.NIC folks have also started building it into Fred, their open source registry software. There are a few more changes the draft will go through before it's ready for last call, but the API it describes should remain largely unchanged from this point onward.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop