On Tue, 2 Mar 2010, Doug Barton wrote: > > Throwing in some more bullet points: > 1. There MUST be an OOB (where the B is DNS) channel for initial zone > configuration, contact info changes, etc. > 2. This channel already exists for Registrant/Admin/Billing/Technical > contact info, name servers, etc. > 3. The existing elements of the channel that Antoin identified are all > familiar, and relatively comfortable with this channel, and get way more > stuff that flows through it right than they get wrong. > 4. It's pretty easy to make the argument that DS records fit nicely into > that channel "like" NS records. > 5. The very large number of misconfigured name servers out there now > argue strongly against considering DNS a "secure" channel. > 6. There has to be an OOB mechanism for domain holders to enter DS key > data in any case to deal with emergencies, restarts, etc.
I think I agree with everything except point 5. The aim of automating this is to reduce misconfiguration. You are arguing that delegations are frequently a bit broken, so there's no point doing anything to reduce the breakage. But we know DNSSEC makes breakage more likely (because of key rollovers) and can turn minor breakage into serious breakage. > In my mind all of these points argue strongly against putting work into > this, even if the RRR channel was likely to adopt it, which I am > extremely skeptical about. It would be very helpful to be able to do automatic delegation updates in lower levels of the DNS tree. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
