On 02/09/15 10:12, Holger Zuleger wrote: >>> In practice subdomains registered under public suffixes do not allow >>> dynamic DNS updates. Glue records and NS records can only be changed >>> through EPP or proprietary protocols of the respective registries and in >>> some cases only through fax or letter. Most registrars expose their >>> interface to the registry, including glue record management, directly to >>> registrants either through a self-service web interface that can be >>> scraped, EPP or some proprietary protocol and only few require >>> interaction with their customer support. So it is still possible to >>> automatically update the glue records of a nameserver when its network >>> is renumbered. However, there is no fine-grained access control - even >>> if you interface directly with the registry. That means that you have to >>> store the credentials that can be used to change all details of your >>> domain in the registry on every nameserver if you want that nameserver >>> to be able automatically update its glue records. If your domain uses >>> DNSSEC with separate KSK and ZSK, it suffices to compromise a secondary >>> nameserver to replace the KSK which undermines the security model. > You can overcome the problem with the glue records by putting all the NS > server in a different domain not below your zone. But this of course > wouldn't help on DS or NS updates.
At some point/level of indirection you will need glue records. - Matthias-Christian _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
