On Tue, Mar 02, 2010 at 08:05:38PM +0000, Alex Bligh wrote:
> Ed,
>
> --On 2 March 2010 14:39:45 -0500 Edward Lewis <[email protected]> wrote:
>
> >Telling someone one to change the name server from "ns1.example.tld." to
> >"newdns.example." or "127.0.10.2 to 192.0.2.3" is easier than saying
> >change something from:
> >"94DC01F2763CCB12F4B66AC63910830BC34082F6FE95CD75DAA3C5B37F99DD81"
> >to:
> >"6CDE2DE97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
>
> So, if the registrar is running DNS, then he pushes the DS keys directly
> using EPP or whatever. And the problem arises, if I understand it right,
> when someone other than the registrar (or for that matter the registry) is
> generating the information that goes in the DS record. And whilst
> nameservers (for instance) are likely to be static, this is relatively
> volatile.
>
> My concern is that whatever automatic update mechanism you choose has
> to use some greater level of security than merely relying on the
> zone being signed. So to pick a trivial example
> _DSKEY IN TXT [blob]
> isn't going work, because if you are changing the DS key because
> you fear your keys may have been compromised, that can be compromised
> too. I may be having a failure of imagination but I don't immediately
> see how without some external authentication (yet another key) you
> can securely automatedly push DS key changes about.
>
> --
hum... maybe I should be hounding Ed on this... but I think we should
draw a bright line... we are (imho) talking about pushing DS records
from child to parent. entirely w/in the perview of the DNS protocol/wg.
for non-DNSprotocol players (registries/registrars/registrants) that use
EPP or its varients for pushing DNS data around - thats not w/in scope.
at least for this WG's consideration.
--bill
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
