Hi Wolfgang, My concern was not about the updates but rather about the gigantic number of keys a busy parent would have to create, revoke, store, renew, etc.
It doesn't make sense to me to utilize symmetric encryption (such as TSIG) to solve this problem. A scheme that utilized an asymmetric key would be a much better fit. DNSSEC itself would be a strong candidate here. Thanks, S ---------------------------------------------------------------------- Stephan Lagerholm Senior DNS Architect, M.Sc. ,CISSP Secure64 Software Corporation, www.secure64.com Cell: 469-834-3940 > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Wolfgang Nagele > Sent: Tuesday, June 29, 2010 9:44 AM > To: Stephan Lagerholm > Cc: [email protected]; Matthijs Mekking > Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop- > auto-cpsync-00 > > Hi Stephan, > > > I like this draft but I'm a little bit concerned about the scalability. > > How will a busy parent provision a unique secret key for each of the > > child? > Do you mean the scalability for capacity on the update server side? > Although > BIND might not be able to scale this out of the box, the example has only > been > given in the draft to have a hands-on way for ppl to try this draft. > > In reality it should not be a major issue to receive those DNS updates and > process them (with or without signatures) - similar efforts are currently > made > for each request to change NS-sets on the parent (admittedly those might > happen > less frequent). > > > And how will this key be transported between the parent and the > > child in a secure way? > The same way a parent is currently providing a domain owner with > credentials for > their management interfaces. If a domain owner has specific requirements > in > terms of security on that channel it is something where registrars can > offer > whatever their customers demand. > > Regards, > Wolfgang > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
