> On 22 Jun 2022, at 00:07, John Levine <jo...@taugh.com> wrote: > > It appears that <rube...@nic.br> said: >> -=-=-=-=-=- >> >> >> Hi. >> >> During a meeting today of ROW (https://regiops.net), the I-D on CDS >> bootstrapping by using a DNSSEC-signed name at name server >> zone >> (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/) >> was discussed. >> In that discussion, it was mentioned that the current draft only supports >> out-of-bailiwick name servers; I replied that the >> same principle could be applied to in-bailiwick name server by usage of the >> reverse DNS zones for IPv4 and IPv6. > > Urrgh. In principle, you can put anything you want in a reverse zone. > (Send mail to jo...@18.183.57.64.in-addr.arpa. and it'll work.)
That's my recollection as well, but as the saying goes, code is law. Although in this case only registry/registrar and DNS operator are required to interoperate for the bootstrapping process. > In practice, I doubt that enough reverse zones are signed or that the > provisoning crudware that people use for reverse zones would work > often enough to be worth trying to do this. I did some surveys of > zones and found that in-bailiwick NS are quite uncommon, only a few > percent of the ones in large gTLDs. I don't expect the IP space used for DNS servers to be managed thru an IPAM system of sorts. But if one is used, it's unlikely they provision a zone-cut as required in the draft. The prevalence among the overall DNS system is indeed low, but I wonder what % this represents within services that allow all of DNSSEC, CDS Bootstrapping and in-bailiwick DNS servers, like Business and Enterprise plans in Cloudflare: https://developers.cloudflare.com/dns/additional-options/custom-nameservers/ <https://developers.cloudflare.com/dns/additional-options/custom-nameservers/> . Or if supporting this type of DNS servers can help the adoption of this draft for the 99.9% use case of out-of-bailiwick servers. If not, we could be adding a new piece to the DNS Camel... Rubens
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
