Greetings Working Group, As many of you are aware Peter Thomassen, John Levine and I have been working on the generalised notifications for a while. The key idea there is obviously that a NOTIFY(CDS) or NOTIFY(CSYNC) sent from the child to the parent scanner will allow the scanner to fast track the scan of that particular child thereby making everything converge faster and presumably make the child happier.
But scanners still suck in general. So now there’s a new draft, that further extends the same core idea (locate the target for the information being sent via a DNS lookup in the parent zone). However, the new draft (draft-johani-dnsop-delegation-mgmt-via-ddns-00) proposes that instead of sending a NOTIFY (triggering a scan from the recipient) the child sends a DNS UPDATE containing the exact change with a signature that can be verified by the recipient. The recipient is typically not the primary name server for the parent, but rather a small service that does the same policy verifications, etc, that a scanner would do before committing the change. There are two key advantages to this alternative: 1. No need for the scanner. While some registries and registrars already run scanners this would really help all other, smaller, parent zones that don’t have scanners and, more importantly, don’t want scanners. 2. No requirement for DNSSEC. Great as DNSSEC is, being able to automate the management of delegation information for *all* zones, regardless of whether the parent is signed or not, regardless of whether the child is signed or not, is an advantage. Note that this mechanism is proposed as a complement to the generalized notifications, not as a replacement. Both have roles to fulfill. Please take a look if you’re at all interested in these issues. I will present the draft in Prague. Regards, Johan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
