On 6/22/22 08:36, Brian Dickson wrote:
The whole point of the bootstrap mechanism is to onboard the /initial/ DS
record for a particular domain securely.
Once the initial DS is present, there is no further need for bootstrap.
For a single domain, the only purpose of doing what you propose for a "vanity"
name server name, is to accomplish a one-shot action.
The use of some (any) third party DNS operator whose infrastructure zone(s)
is/are signed, for the purposes of doing the bootstrap, followed by migrating
the signed zone to another set of name servers securely (e.g. via the
multi-signer mechanisms, or via setting the zone up as a signed AXFR from a
hidden master), would achieve the same result without any new proposals or
implementations required. That would be two steps instead of one, but only at
the time of the initial DS. Once that DS is onboard at the parent domain, the
bootstrap operator is no longer involved.
It's even more simple: You don't need to do any multi-signer stuff, because
keys don't change.
If the DNS operator for your domain example.com has out-of-bailiwick nameservers
ns1.provider.net
ns2.provider.net
with in-bailiwick vanity names
ns1.example.com
ns2.example.com,
you can simply start out with the joint NS record set (the vanity names, and at
least one of the out-of-bailiwick ones), then perform bootstrapping. When done,
just drop the out-of-bailiwick ones from the NS rrset.
Rubens, I was not able to give this response ad hoc at the ROW discussion, but
now I see more clearly. So, thank you for the discussion input -- it has
clarified some things in my mind!
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
