In message <[email protected]>, Paul Wouters wr ites: > On Wed, 9 Oct 2013, Ondej Sur wrote: > > > We also have a signaling mechanism... > > > > We can just somewhat abuse the DNS Update mechanism to send DNS UPDATE > > to parent master (from SOA) server with DNSKEYs + RRSIGs as contents > > of the DNS UPDATE message. > > Some TLD operators I talked to did not want UPDATEs heading towards > their existing deployment. So your signaling only works if those > TLDs can re-purpose the SOA entry to specify such a _new_ server. One > could also use a new RRTYPE for it (but prob not put it in the apex) > > I still think the most transparent way of signaling the child can do > is by publishing something in their zone. It will get DNSSEC protection, > and even "transparency" by being published to anyone who cares to look. > > It also requires no new firewall rules at the TLDs to let in new kind of > messages like UPDATE.
UPDATE is first and foremost a message format and can be securely used to send change requests. It can be used for all zones regardless of whether they are signed or not. Yes I know updating DS records triggered this but there is more than DS records that need to be updated in parent zones automatically. If a server gets renumbered it *should* be able to update its own address records. We *shouldn't* have to depend on zones being signed to do this. It should work at *all* delegation points in the DNS. Focusing on DS/DNSKEY will lead to the wrong general solution. Focusing on the zone being signed will lead to the wrong general solution. Mark > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
