On 3/14/15, 4:00 AM, "Viktor Dukhovni" <[email protected]> wrote:
>On Fri, Mar 13, 2015 at 01:10:21PM -0700, Paul Hoffman wrote: > >> This could go either way. If the WG thinks that the user, or >> someone responsible for the user, will add and change DNS records >> for that user, your proposal would clearly be better because you >> could delegate the user to a new subzone. On the other hand, if >> the WG thinks that the security admin will be the one adding and >> changing records for a particular type of mail security, then the >> design we are using now is better. I lean towards the second, but >> can see the merit of the first now that people are thinking of >> using this for things other than just mail security. > >I think this mental model of tools that update the DNS is too naive. >It seems to assume that the tools can make decisions based only >on the requestor credentials and the owner name of the RRset to >be added. I agree enthusiastically. > >I think it is far more likely that administrators and users will >be interacting with a middle-ware management system that enables >them to add and remove keys and *that* system will be able to >publish all the requisite records on behalf of either individual >users or administrators. This is exactly the direction I think things need to head to move DANE adoption forward into the mainstream. > >So the structure of the DNS namespace should be optimized for >clarity/simplicity, rather than a presumed set of management tools >(e.g. direct authorization to inject records via dynamic update into >a particular portion of the namespace). > >-- > Viktor. > >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
