SIG(0) has miles of potential. Active Directory shows that hosts updating their own addresses is useful.
SIG(0) provides a similar mechanism without the overhead of AD. It actually works well today if you spend the time to hook it into a system. What’s needed is for OS vendors to ship machines with support enabled. Use AD if the machine is part of a AD domain and this if it isn’t. It really isn’t that hard to do it just requires OS developers to do it. -- Mark Andrews > On 20 Jun 2018, at 07:33, Ondřej Surý <ond...@isc.org> wrote: > > But if nobody uses that and nobody else implements this, it sort of beats the > usefulness of the feature. > > Ondrej > -- > Ondřej Surý — ISC > >> On 19 Jun 2018, at 23:20, Mark Andrews <ma...@isc.org> wrote: >> >> SIG(0) is much superior for machines updating their own data to TSIG as you >> don’t need a secondary storage for the TSIG key. You can replace a master >> server without having to worry about transferring TSIG secrets off a dead >> machine. You just copy the zone from a slave and go. >> >> There are other scenarios where it is also superior like automaton >> delegating In the reverse tree. >> >> No I don’t think it should go. >> >> It should be widely implemented so it can be used. There is a lot of self >> fulfilling prophecy in the DNS of people will never is this so we won’t >> implement it. >> >> -- >> Mark Andrews >> >>> On 20 Jun 2018, at 06:48, Ondřej Surý <ond...@isc.org> wrote: >>> >>> Hi, >>> >>> as far as I could find on the Internet there are only SIG(0) implementation >>> in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, >>> Net::DNS(::Sec) Perl library, trust_dns written in Rust and perhaps others >>> I haven’t found; no mentions of real deployment was found over the Internet >>> (but you can blame Google for that)... >>> >>> Do people think the SIG(0) is something that we should keep in DNS and it >>> will be used in the future or it is a good candidate for throwing off the >>> boat? >>> >>> Ondrej >>> -- >>> Ondřej Surý >>> ond...@isc.org >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >> > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
