On Fri, Mar 13, 2015 at 01:10:21PM -0700, Paul Hoffman wrote:
> This could go either way. If the WG thinks that the user, or
> someone responsible for the user, will add and change DNS records
> for that user, your proposal would clearly be better because you
> could delegate the user to a new subzone. On the other hand, if
> the WG thinks that the security admin will be the one adding and
> changing records for a particular type of mail security, then the
> design we are using now is better. I lean towards the second, but
> can see the merit of the first now that people are thinking of
> using this for things other than just mail security.
I think this mental model of tools that update the DNS is too naive.
It seems to assume that the tools can make decisions based only
on the requestor credentials and the owner name of the RRset to
be added.
I think it is far more likely that administrators and users will
be interacting with a middle-ware management system that enables
them to add and remove keys and *that* system will be able to
publish all the requisite records on behalf of either individual
users or administrators.
So the structure of the DNS namespace should be optimized for
clarity/simplicity, rather than a presumed set of management tools
(e.g. direct authorization to inject records via dynamic update into
a particular portion of the namespace).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
