I had thought about this several years ago (ICANN-59, Johannesburg,
June 2017). I was (still am) part of the DNSSEC & Security Workshop
planning committee - and live close by. Thought about an RFP, trip to
IETF? etc..
My thought was for the DNS operator to signal the Parent at a well known
location and send them a domain name - bit like "whois". Would probably
need a reserved port number. I also manage the EDU.ZA Domain Name space
- which now scans for CDS records - etc. At this time, I had a web
button that customers could login to and push - which would then query
the child nameservers for DNSKEY records - etc.
Perhaps "_notify" at the parent? _notify.edu.za on port 430 (not
in use in my /etc/services) and you pass over one word - the domain that
you would like checked. Perhaps rate-limit the port by "sending IP" and
"Domain" asking to be queried.
I presume people can work out who their domains parent is? ... although
a rewrite of the 'whois' binary could do the trick too.
Might even send back an OK or KO reply, OK = We accept the name and will
probe you, KO = Not here thank you.
On 2023/11/08 19:05, Peter Thomassen wrote:
Dear DNSOP,
As laid out at the DNSOP session on Tuesday,
draft-ietf-dnsop-generalized-notify (and also
draft-johani-dnsop-delegation-mgmt-via-ddns) require a method for
locating the parent-side endpoint (target) where the child DNS
operator can send a NOTIFY for DS update (or other kind of signal).
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop