In message <alpine.OSX.2.21.1708172112530.64140@ary.local>, "John R Levine" writes: > On Fri, 18 Aug 2017, Mark Andrews wrote: > >>> Or you can have credentials to allow the hoster to update the DS > >>> records alone. > >> > >> Of course, but that's independent of how you present the updates to the > >> registry or registrar. > > > > Yet, you chose to attempt to shoot down the proposal based on the > > premise that you would be giving up full control. > > You appear to be responding to someone else. My point is that in > practice, registries do not provide credentials for DNSSEC updates only, > regardless of how they're presented.
And the proposal was for registrars to process them except in the case where the registry and registrar are the same entity. The only thing the registry needs to run is a forwarding agent which looks at the name of the zone to be updated (sanity checking and possible database selection for the next step) and the name of the first record to be updated in the update section to find which registrar to forward the update to. This is similar to how nsupdate works out which zone to update without being told explicitly. All validation (TSIG/SIG(0)), beyond is the UPDATE in scope, is done by the registrar which doesn't require the registry to handle any credentials. > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
