[DNSOP]Re: Paul Wouters' Discuss on draft-ietf-dnsop-dnssec-bootstrapping-08: (with DISCUSS and COMMENT)

Mon, 20 May 2024 07:29:51 -0700 

Hi Paul,

We addressed the last open issue (see below) and submitted a new revision (-10).

Thanks for the helpful discussion, I feel it's made the draft better!

On 5/18/24 03:23, Peter Thomassen wrote:

OLD
   CDS/CDNSKEY records and corresponding signaling records MUST NOT be
   published without the zone owner's consent.  Likewise, the child DNS
   operator MUST enable the zone owner to signal the desire to turn off
   DNSSEC by publication of the special-value CDS/CDNSKEY RRset
   specified in [RFC8078] Section 4.  To facilitate transitions between
   DNS operators, child DNS operators SHOULD support the multi-signer
   protocols described in [RFC8901].

NEW
   It is possible to add CDS/CDNSKEY records and corresponding signaling
   records to a zone without explicit knowledge of the domain owner.  To
   spare domain owners from being caught off guard by state changes
   induced by this practice, Child DNS operators doing so are advised to
   make this transparent.


Maybe add:   ", for example by notifying the domain owner via email".


Mmh, I find this quite prescriptive ("a priming example"). It could also be 
done as an info box when you create the zone (perhaps you can untick a box to disable), 
or as an advertised feature when you book the plan. Those approaches seem favorable, 
because they are ahead of time (before it actually happens), while a notification is 
after the fact.

Now, I'm not sure whether we should go into elaborating on all of this; but *if* we say 
something, I feel we should mention one of the "ahead-of-time" ways. I'd be 
curious to know what you think of this.


NEW
   It is possible to add CDS/CDNSKEY records and corresponding signaling
   records to a zone without the domain owner's explicit knowledge.  To
   spare domain owners from being caught off guard by the ensuing DS
   changes, child DNS operators following this practice are advised to
   make that transparent, such as by informing the domain owner during
   zone creation (e.g., in a GUI), or by notifying them via email.

Thanks,
Peter

--
https://desec.io/

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to