Ed, --On 2 March 2010 14:39:45 -0500 Edward Lewis <[email protected]> wrote:
Telling someone one to change the name server from "ns1.example.tld." to "newdns.example." or "127.0.10.2 to 192.0.2.3" is easier than saying change something from: "94DC01F2763CCB12F4B66AC63910830BC34082F6FE95CD75DAA3C5B37F99DD81" to: "6CDE2DE97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
So, if the registrar is running DNS, then he pushes the DS keys directly using EPP or whatever. And the problem arises, if I understand it right, when someone other than the registrar (or for that matter the registry) is generating the information that goes in the DS record. And whilst nameservers (for instance) are likely to be static, this is relatively volatile. My concern is that whatever automatic update mechanism you choose has to use some greater level of security than merely relying on the zone being signed. So to pick a trivial example _DSKEY IN TXT [blob] isn't going work, because if you are changing the DS key because you fear your keys may have been compromised, that can be compromised too. I may be having a failure of imagination but I don't immediately see how without some external authentication (yet another key) you can securely automatedly push DS key changes about. -- Alex Bligh _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
