In message <[email protected]>, Paul Wouters writes: > On Thu, 7 Mar 2013, Doug Barton wrote: > > > I also think it makes more sense to signal the parent to act, rather than > > having the parent need to periodically poll the zone to detect the > > existence > > of special records, or updates to those records. I also like signalling in > > order to avoid cluttering the child zone with these types of hints to the > > parent. > > signaling won't work for too many reasons: > > - hidden primaries > - hidden DNSSEC signers > - unwillingness for large AUTH servers to add complexity to their main > public servers. > - firewalls between child and parent > - firewalls between parent and signer > - additional security checks of the signalling, anti-DDOS measures, etc > > If you have a parent-child signaling relationship that works, why not > use something like dynamic updates?
Remember dynamic update don't have to go to the servers for the zone. They can be sent to any reachable address. The only requirement is that they be signed to prevent forgeries being ccepted. > Or for the RRR case, you could do some signaling over EPP. Or just give the registrars a DNS to EPP translating server to use in parallel with their HTTPS to EPP translating server. > Paul > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
