On Tue, 20 Jun 2023, John Levine wrote:
It appears that Matthijs Mekking <matth...@pletterpet.nl> said:
Hi,
I like this draft because of it tackles the issues of wasteful CDS
polling and it uses NOTIFY, a mechanism that is well known, already
exists in implementations, and actually feels like a good fit (as
opposed to overloading).
Agreed.
That's not what the TLDs said during "timers vs triggers". They did not
want NOTIFY's towards their production nameservers. That might have
changed, but I would like to hear from the big TLDs that they are now
in favour of this and would deploy.
If not, perhaps a level of indirection via service record should be
used to point to a specific server (which could still accept NOTIFY)
outside of the parental NS RRset.
Also the registrars did not like being circumvented. While now some
registars might have changed their mind (or don't care since they
are both registrar and dns hosting for most of their domains), it
would be good to hear from them.
A note on where to send CDS and CSYNC notifications. I sort of
understand why the NOTIFY record includes a RRtype field, but will
parental entities really have a different target for receiving notifies
for CDS and CSYNC?
I've talked to Peter at some length. The problem is that you will often have
different targets for different children of the same parent, i.e., registrars
rather than registries, and I don't see any good way of putting per-child
info in the parent, particularly a large parent like .ORG or .COM.
The DNS hoster needs to reach the DNS parent. Why wouldn't the parent,
eg via a single service record, have a service suitable for all of its
children?
The existing NOTIFY for AXFR is perfectly usable without a mechanical
way to say where to send the notifications, so my proposal is to
continue not to have one. All of the existing AXFR NOTIFY receivers I
know have ACLs to only accept notifications from relevant primary
servers, often hidden ones not visible in the DNS, so even if the
proposal in 5.1 didn't have scaling problems, it only addresses half
the problem. So take it out.
So you now have 2 half problems? TLDs need (AFAIK from previous
discussion) a way to receive NOTIFYs that's not on the IPs of their NS
RRset. Let's give them one. I don't think an ACL is needed, just a rate
limit to block abusive IP blocks should be enough?
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
