Jay,
--On 3 March 2010 13:40:53 +1300 Jay Daley <[email protected]> wrote:
I'm sure we could and an automated update of DS records is a good idea.
But my point is that in the absence of a similar automated mechanism for
NS records we use cut and paste and it works fine and there is nothing
about DS records that is any more complicated so cut and paste would work
fine there too.
I thought that yesterday. Ed convinced me otherwise. I think I have
about 20 or 30 domains registered (meaning I look after the registrar
interaction and the DNS for them) with variety of registrars. I don't
think the NS entries for any of them have changed in the past ten
years, and they are all either pair {a,b} or pair {c,d}. If they
had DS records, this would not apply.
Moreover, I suspect for the vast majority of zones, some third party
DNS service is going to be signing the zones and producing the DS
records. Unless there is an automated mechanism to move DNS, we
going to make it difficult for any third part authoritative DNS
service to exist unless they are also the registry operator.
My non-bar-based straw-man contribution is this (perhaps using a proper
record rather than TXT)
_DSKEY IN TXT "[DSKEY]:[HASH]"
where [HASH] is a truncated hash of the DS key and a secret shared
(once) between registrar/y and the registrant/DNS operator. Obviously
the record needs to then pass the normal signing checks too. If it
doesn't check out, the previous DS key stays.
--
Alex Bligh
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
