On Fri, 18 Aug 2017, Mark Andrews wrote:
And the proposal was for registrars to process them except in the case where the registry and registrar are the same entity. The only thing the registry needs to run is a forwarding agent which looks at the name of the zone to be updated (sanity checking and possible database selection for the next step) and the name of the first record to be updated in the update section to find which registrar to forward the update to. This is similar to how nsupdate works out which zone to update without being told explicitly.
I'm sorry, but once again I can't see how response is related to what you're responding to.
It is a business issue whether the DNSSEC records (and the NS for that matter) are updated through the registry or the registrar. Some do it one way, some do it the other, and the registars and registries I've talked to feel very strongly about whichever way they do it. Either way, the problem is that almost none of them issue credentials that let you update a zone's DNSSEC separate from letting you update everything else about a registrant.
As I've said a couple of times, where you present those non-existent credentials and whether you do it through TSIG or some web thing (web servers are really good at 3xx redirects) is an implementation nit. At this point Jacques' proposal that gives you a challenge token to stick in your zone to prove you're authorized is looking pretty good.
R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
