I'd like to start a thread about alternatives to encoding fingerprints in NS names. As I noted in the meeting (unless I'm significantly misunderstanding the proposal), this is a non-starter for large operators like us. It's not feasible to get our customers to change every NS record in their thousands of domains, and there's no way to do any sort of incremental rollout. Customers are reluctant to even finish KSK rotations (by updating the DS in the parent), I can't imagine trying to get them to update NS records to enable this feature, let alone update them for an emergency keypair rotation.
We use the encoding in our infrastructure zone that hosts customer authoritative NS names (in this case, akam.net), but that creates a gap in the chain. On the call, someone (Wes?) proposed an alternative such as records in the reverse zones. That would be a huge win for us, since we have a small finite set of nameserver IPs, and easily control our reverse zones (as, I would imagine, do other large providers). I wasn't in Bangkok, so I'm not sure if there were any specific implementation proposals kicked around, but I'd like to start talking about what that would look like. Something TLSA-ish at the reverse name for the nameserver IP? There's obviously some overhead with the recursive having to look up reverse names for NS IPs, but large TTL values could help with that. -Jon _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
