On 03/13/2013 09:39 AM, Joe Abley wrote:
On 2013-03-13, at 12:26, Doug Barton <[email protected]> wrote:
On 03/13/2013 07:45 AM, Joe Abley wrote:
1. Because not all parents (by policy) construct DS records on
behalf of children;
So how likely are those parents to utilize CDS records to
auto-publish DS? Or, put more simply, Do we have any indication
that registry operators will actually use this? I know that
registries are not the only zone parents, but without some
significant buy-in from them I think that regardless of the merits
of this idea it may be of low utility.
I am not a lawyer, but I understand that some interpretations of
public gTLD contracts would prohibit registries from exchanging
registry data directly with registrants (registrants should deal with
registrars).
The language tends to be focused around registries not contacting
registrants directly. This sort of thing would likely be an exception to
the rule, but I'm not a lawyer either. :)
It would be worth getting some clarity on this before moving forward
though.
However, there's nothing to stop registrars making
arrangements with their registrants to receive change requests via
signed RRSets. It may that for gTLDs (and other TLDs in a similar
sitaution), we don't need buy-in from lots of registries; we need buy
in from a registrar.
That makes the problem worse, right? As there are many more registrars
than there are registry operators.
The question of how likely it is that anybody will implement this is
difficult to answer without time travel capability. However, if
there's no standardised mechansm, I think chances are good that
nobody will implement anything.
Um ... aren't you looking at it bass-ackwards? It doesn't matter if we
develop a standard if it doesn't meet a real-world need. Communicating
with the primary target audience for the thing we are developing would
seem to be a good step in the process.
2. Because sometimes you want to publish DS RRs in your parent
that correspond to standby keys that are not published in the
child.
If the parents are actually using some method of accepting signals
from the child to scrape the zone (whether CDS; actual scraping of
NS, DNSKEY, etc.; or some other method) wouldn't that lower the
barrier to entry for standby keys?
I don't understand the question. What does "lower the barrier to
entry for standby keys" mean?
If I have confidence that as a result of whatever mechanism gets
implemented that my parent is going to create a DS record for my new key
in near real time, how important is it that I pre-publish standby keys?
Doug
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
