At 19:17 +0000 3/2/10, Alex Bligh wrote:
Ed,
--On 2 March 2010 09:38:50 -0500 Edward Lewis <[email protected]> wrote:
Only in the last week did it sink into me that the problem is that we
need a way to push DS records along the established registration path and
not the DNS operations path. What this means - for registries that
operate DNS and have direct dealings with registrants, the DS can go from
the registrant's designated DNS operator to the registry. For registries
that deal exclusively with registrars, the registrant's DNS operator has
to know how to get the DS to the registrar (who in turn will use some
other protocol to reach the registry).
I'm probably being very thick here, but could you explain why conceptually
this needs to be any different from the path taken to populate the NS
record and glue records (whether under DNSSEC or not)? Or are you only
suggesting this is the case where some sort of automatic pull is
in place?
Two reasons why the transfer is different although the path is the same:
1) Timing of the transfer.
1a First the DS record will be "in motion" much more frequently than
an NS or address record would be.
1b Second the DS record will go "in motion" based on some time cycle
and not all that event based.
2) The difficulty factor.
Telling someone one to change the name server from "ns1.example.tld."
to "newdns.example." or "127.0.10.2 to 192.0.2.3" is easier than
saying change something from:
"94DC01F2763CCB12F4B66AC63910830BC34082F6FE95CD75DAA3C5B37F99DD81"
to:
"6CDE2DE97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
To explain 1a further - in today's environment, simple sites will be
set up and left alone. With DNSSEC, keys are expected to be changed
more frequently. Granted give some recent talk, maybe not all that
more often.
As far as 1b - the transfer of the DS might be "because it is March
1st" or "because we suspect bad activity." Before the NS's really
changed when "I've had it with that DNS provider, that was the last
time!"
Now, really, if the *path* from org to org is the same as NS and
glue, that would be good. It's just that we can't see the consumer
wanting to handle the ugly data (part 2). Yes, we want security,
but, we also want the same security as the NS and glue data - they
are more important (and already have been shown to be more
vulnerable, see SQL injection attack :
http://en.wikipedia.org/wiki/SQL_injection_attack.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
