On Tue, 26 Oct 2021, Peter Thomassen wrote:
This draft introduces automatic bootstrapping of DNSSEC delegations. It uses
an in-band method for DNS operators to publish information about the zones
they host, per-zone and with authentication. With this protocol, DS
provisioning can happen securely and without delay.
I've read the draft, and it is an interesting idea. Some thoughts I had:
- Is it really needed to do hashing? Do we really expect domain names to
hit the 63 or 255 limit ?
- _boot seems too generic a name for this. _dsbootstrap would be better
and cause less clashing
- I would like to see some text on removing the records too once the
child gained its DS record.
- Should it be explicitly noted that in-bailiwick domains are not
supported?
- It puts a constraint of the nameserver being in a zone that is DNSSEC
enabled. This is currently not required (though very often the case
anyway)
In general, the problem is that we need to make it easier for the DNS
hoster to enable DNSSEC when their customers are non-technical. I think
this draft does properly extend RFC 8078 and even think this document
could deprecate the "Accept after wait" method. However, I do think it
should still impose a minimum length of publication before accepting,
so that mistakes similar to the recent slack.com outage can be
prevented. So change "accept after wait" to "verify, then accept after
wait".
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop