On Wed, 9 Oct 2013, Ondřej Surý wrote:
We also have a signaling mechanism...
We can just somewhat abuse the DNS Update mechanism to send DNS UPDATE
to parent master (from SOA) server with DNSKEYs + RRSIGs as contents
of the DNS UPDATE message.
Some TLD operators I talked to did not want UPDATEs heading towards
their existing deployment. So your signaling only works if those
TLDs can re-purpose the SOA entry to specify such a _new_ server. One
could also use a new RRTYPE for it (but prob not put it in the apex)
I still think the most transparent way of signaling the child can do
is by publishing something in their zone. It will get DNSSEC protection,
and even "transparency" by being published to anyone who cares to look.
It also requires no new firewall rules at the TLDs to let in new kind of
messages like UPDATE.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
