On Wed, Nov 18, 2020 at 6:29 PM Shumon Huque <[email protected]> wrote:
> On Wed, Nov 18, 2020 at 3:42 PM Peter van Dijk < > [email protected]> wrote: > >> On Tue, 2020-11-17 at 23:30 +0000, Tony Finch wrote: >> [...] >> > If (big if) we think it's worth upgrading the DNS delegation model (and >> > EPP, and all the registries and registrars, and all the IPAM databases >> and >> > user interfaces, and documentation and textbooks), can we also tackle >> the >> > scalability problem? By "scalability" I mean the need for a hosting >> > provider to update NNNNN delegations when a server cert changes. And >> there >> > are decades old problems keeping delegation NS and glue and DS records >> > correct. (A large chunk of the "it's always DNS" meme comes from how >> hard >> > it is to understand delegations and update them correctly.) This whole >> > area is a massive pain in the arse sorely in need of universal >> automation. >> >> +100. I've referred to this in other threads - if CloudFlare had gotten >> anywhere with their attempts to solve the operator / registrant / >> registrar / registry disconnect problem, all of this would be so much >> easier. >> > > At ICANN69's DNSSEC Workshop last month, Steve Crocker issued a > challenge to DNS Operators to organize and become an officially > recognized constituency within ICANN. If that were to happen, then it might > be able to address and solve some of these issues over time, given > adequate engagement. > > > Any serious attempt at improving delegations needs to deal convincingly >> > with the quesion of why support for CDS, CDNSKEY, and CSYNC is so >> > appallingly bad. >> >> Yes, or in the broader sense, my previous paragraph. >> > > At the same workshop, Jim Galvin spoke about some of the structural reasons > why it's challenging for the contracted gTLDs to make progress on > supporting > these (and also likely why there has only been adoption at a small number > of > ccTLDs, who are non-contracted parties). This was in relation to CDS and > CDNSKEY. As far as I can tell, no-one has shown any interest in CSYNC to > date. > At the same Workshop, in our presentation I mentioned that we (GoDaddy) are intent on providing CDS/CDNSKEY support. This is to work around the logjam which is the RRR system and its structural limitations. Specifically, we will support our Registrar customers who are not DNS customers, by polling them for CDS/CDNSKEY records no matter who hosts their DNS. We will then submit those via EPP (which we can do only because we are their Registrar). Nothing about this is rocket science, nor is it anything any other Registrar cannot do. It's a hack, but it moves the DNSSEC ball forward, and doesn't require any new DNS "stuff" or Registry changes. Brian
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
