On Jul 6, 2019, at 19:28, Witold Krecicki <[email protected]> wrote: > Exactly - while the things you mentioned are configuration options that > are 'human generated', the ZSK rollover should be, in the ideal case, > something that happens automatically, without any human intervention.
It wouldn't necessarily be harmful to be able to update those other things automatically, too. Things like master servers and NOTIFY targets perhaps change less frequently or predictably than a ZSK, but in times of emergency all could benefit from a well-designed, automated and secure mechanism to handle changes. TSIG secrets are rarely rolled in practice, in my experience, and being able to improve upon that also seems useful. I still wonder whether what you're proposing really only solves one of a wider set of problems, and whether doing it in the DNS really makes sense. Perhaps a standardised, out-of-band provisioning protocol would be better. We might have a need to exchange some other kind of metadata between authoritative servers for a zone in the future, eg relating to secure transports or privacy. The idea of being able to provide a general solution to solve future such problems seems attractive. None of this is commentary directly about your draft, of course. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
