Hi John,
On 6/20/23 20:27, John Levine wrote:
It appears that Peter Thomassen <pe...@desec.io> said:
My take is that the parent should create a _signal subdomain (preferably as a
delegation). The per-child target can be queried by prepending, e.g.
_notify.example._signal.parent. IN NOTIFY CDS scheme port
scanner.registrar.example.
This way, the parent can announce the registrar's NOTIFY endpoint. This can be
synthesized dynamically, no need to maintain a large zone.
As _signal can be delegated, only one (rather normal) NS RRset is required in
the parent, and the magic can be done on a different
nameserver.
While I can see how that might work in principle, I find it hard to
imagine registries and registrars making it work. At the least it'd
need new EPP stuff to tell the registry what signal records to add or
delete.
Do you mean that there needs to be a way for registrars to tell a registry what
their NOTIFY listening endpoint is?
EPP, to my knowledge, is for management of domain registrations, while that
endpoint is a global property of the registrar's account with the registry. It
need not necessarily be conveyed via EPP: one could use whatever other channel
is available for account changes. I guess there would usually be a web portal
for filling in details like your EPP client net ranges, billing details, tax
number etc.
It would be really interesting to hear from a registry. I'll reach out to some
and try to figure out what they think.
I guess if the targets are fairly static, then putting it in the configuration
rather than sticking it in the DNS will be good enough.
How would a random DNS operator know the registrar of their customer zones? How
would they learn when it changes?
They'd ask the customer "who's your registrar" when they set up the
zone.
Ah, but then that's not what we're trying to do, which is improving CDS
processing. So far, it's done via CDS scanning which does not involve the
registrant but is automatic (that's already in the title of RFC 7344).
Unfortunately, the timing of the scanning queries does not align well with when
a CDS change is actually happening. The NOTIFY mechanism is trying to improve
on that, but without turning the automated method back into one that requires
manual steps by the customer.
If the customer changes registrars, they have to tell the DNS operator
I wouldn't bet that this wouldn't be forgotten except for < 10% of cases.
Realistically, the DNS operator would have to ask again -- but how would they know
when it would be good to ask? Perhaps the DNS operator could ask daily *scnr*
Cheers,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
