> On 9 Nov 2023, at 22:11, John R Levine <jo...@taugh.com> wrote: > > On Thu, 9 Nov 2023, Joe Abley wrote: >>> Apropos Joe's message, the child could hypothetically try and send the >>> NOTIFTY to the parent SOA, e.g. a.gtld-servers.net for .com or .net. But >>> those are clouds of anycast servers and even if you can get that to work, >>> they belong to the registry while the notify needs go go to the registrar >>> so it can update the registry via EPP. >> >> I don't agree that it's impossible to use an anycast target for this, any >> more than it's impossible to distribute any service using anycast. > > I don't think it's impossible either, but it's swatting a fly with a > motorcycle. As far as I know the anycast mirrors do not feed stuff in > realtime back to their primaries and this would be quite a change, not to > mention needing non-standard hacks to their DNS servers. (That's "reverse > anycast".)
Named at least will forward UPDATE to the primary servers. It’s off by default because it hides the source address and UPDATE may be restricted by IP address but it works with both TSIG and SIG(0). This is standards defined behaviour. TSIG was designed to support this. SIG(0) requires a bit more care as the QID is coved by the SIG(0). Adding forwarding of NOTIFY(CDS), NOTIFY(CDNSKEY) would be trivial. Directing it to another “server" would also be trivial. So to be clear, reverse anycast exists today for UPDATE. It has existed for as long as UPDATE has existed. >> As far as communication with registrars goes, the registry operator is >> actually ideally placed to relay general messages to registrars. I'm not >> sure why this is being discounted. They already do so for other purposes. > > At that other I* organization we were led to understand that registrars get > unhappy when the registry interacts directly with their customers. If we can > get the registrars and registries to go for it, registry forwarding is fine > with me, but I don't think it would be a good idea to specify it unless we > are confident that people are willing to do it. > > Re stealth, the place you send the NOTIFY is in practice going to be a server > that just does the update stuff, not a public or stealth DNS server. > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
