As a point of information, All the parent zones (the /8 and /12 RIR delegations in in-addr.arpa and ip6.arpa) are now signed. Or should be. it is possible a couple of stand-out /8 holdings aren't but thats resolvable at some pain.
The problem would be that for CDN hosting instances of DNS, the uplift of the credentials for a specific NS instance "inside" any given sub-delegation demands that parent space itself be signed, and that they offer some mechanism to allow NS instances to associate their info with the record. Its the classic "how do I make sure my registrar follows spec and supports this" but instead of being about gTLD and ccTLD its moved into the un-regulated in-addr and ip6 .arpa subspaces, where the registrar in question is an address delegate. Outside of the people who already have mechanisms to do things (the gTLD and ccTLD and the big players and historically vested ISPs and tier-1s) I hazard that few DNS lie in self managed integral address ranges, and most DNS lies in managed, rented, sub-allocated address space. -George On Wed, Jun 22, 2022 at 1:29 PM <rubensk=40nic...@dmarc.ietf.org> wrote: > > > > On 22 Jun 2022, at 00:07, John Levine <jo...@taugh.com> wrote: > > It appears that <rube...@nic.br> said: > > -=-=-=-=-=- > > > Hi. > > During a meeting today of ROW (https://regiops.net), the I-D on CDS > bootstrapping by using a DNSSEC-signed name at name server > zone > (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/) was > discussed. > In that discussion, it was mentioned that the current draft only supports > out-of-bailiwick name servers; I replied that the > same principle could be applied to in-bailiwick name server by usage of the > reverse DNS zones for IPv4 and IPv6. > > > Urrgh. In principle, you can put anything you want in a reverse zone. > (Send mail to jo...@18.183.57.64.in-addr.arpa. and it'll work.) > > > That's my recollection as well, but as the saying goes, code is law. Although > in this case only registry/registrar and DNS operator are required to > interoperate for the bootstrapping process. > > In practice, I doubt that enough reverse zones are signed or that the > provisoning crudware that people use for reverse zones would work > often enough to be worth trying to do this. I did some surveys of > zones and found that in-bailiwick NS are quite uncommon, only a few > percent of the ones in large gTLDs. > > > I don't expect the IP space used for DNS servers to be managed thru an IPAM > system of sorts. But if one is used, it's unlikely they provision a zone-cut > as required in the draft. > > The prevalence among the overall DNS system is indeed low, but I wonder what > % this represents within services that allow all of DNSSEC, CDS Bootstrapping > and in-bailiwick DNS servers, like Business and Enterprise plans in > Cloudflare: > https://developers.cloudflare.com/dns/additional-options/custom-nameservers/ . > > > Or if supporting this type of DNS servers can help the adoption of this draft > for the 99.9% use case of out-of-bailiwick servers. If not, we could be > adding a new piece to the DNS Camel... > > > > Rubens > > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop