On 6/22/22 08:36, Brian Dickson wrote:
The whole point of the bootstrap mechanism is to onboard the /initial/ DS record for a particular domain securely. Once the initial DS is present, there is no further need for bootstrap. For a single domain, the only purpose of doing what you propose for a "vanity" name server name, is to accomplish a one-shot action. The use of some (any) third party DNS operator whose infrastructure zone(s) is/are signed, for the purposes of doing the bootstrap, followed by migrating the signed zone to another set of name servers securely (e.g. via the multi-signer mechanisms, or via setting the zone up as a signed AXFR from a hidden master), would achieve the same result without any new proposals or implementations required. That would be two steps instead of one, but only at the time of the initial DS. Once that DS is onboard at the parent domain, the bootstrap operator is no longer involved.
It's even more simple: You don't need to do any multi-signer stuff, because keys don't change. If the DNS operator for your domain example.com has out-of-bailiwick nameservers ns1.provider.net ns2.provider.net with in-bailiwick vanity names ns1.example.com ns2.example.com, you can simply start out with the joint NS record set (the vanity names, and at least one of the out-of-bailiwick ones), then perform bootstrapping. When done, just drop the out-of-bailiwick ones from the NS rrset. Rubens, I was not able to give this response ad hoc at the ROW discussion, but now I see more clearly. So, thank you for the discussion input -- it has clarified some things in my mind! Best, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop