Hi all, As far as I'm concerned, the pain in maintaining a secure delegation is often too high, and way too many DNS delegations are still insecure. I presume that many of you agree, which (supposedly) is why mechanisms like RFC 8078 have been created. And indeed, RFC 8078 is great for rollovers.
Unfortunately, current methods for bootstrapping a secure delegation are manual/slow/out-of-band/error-prone (registrar's web interface) or slow/unauthenciated (monitor CDS/CDNSKEY for a few days via TCP and hope for the best). As an operator that's trying to push DNSSEC, I wish this situation could be improved. With the below draft, I am proposing how I think the problem could be solved in-band, authenticated and immediate. I've asked some registries, and they see value in it. While I know that the WG currently does not adopt any documents, I still would like to share it, and possibly have a discussion about it. Is there any interest in this? Thanks, Peter -------- Forwarded Message -------- Subject: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-00.txt Date: Tue, 29 Jun 2021 17:46:53 -0700 From: internet-dra...@ietf.org To: Peter Thomassen <pe...@desec.io> A new version of I-D, draft-thomassen-dnsop-dnssec-bootstrapping-00.txt has been successfully submitted by Peter Thomassen and posted to the IETF repository. Name: draft-thomassen-dnsop-dnssec-bootstrapping Revision: 00 Title: DNSSEC Bootstrapping Document date: 2021-06-30 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-00.txt Status: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/ Html: https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-dnssec-bootstrapping Abstract: This document describes an authenticated in-band method for automatic signaling of a DNS zone's delegation signer information from the zone's DNS operator. The zone's registrar or registry may subsequently use this signal for automatic DS record provisioning in the parent zone.
The IETF Secretariat
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop