Hi Libor, > On 26 Oct 2023, at 12:26, libor.peltan <[email protected]> > wrote: > > Hi, > I'm not sure if this helps the discussion, but Knot DNS implements "DS push", > an automated DDNS update > updating the DS (not NS) at parent. > It's mostly intended for single-organization parent-child relations, where > TSIG (or soon DDNSoQ) can > be configured easily.
I was not aware of this, but “DS push” is clearly an implementation of a the special case (just the DS) of what I would like to see in the child primary. Many thanks for sharing. The limitation of intended use to single organization is easily understandable and those limitations are exactly what I would like to remove with my draft: * by defining a mechanism for how to locate the target for the dynamic update via a DNS lookup * by using SIG(0) rather than TSIG to make it more scalable across multiple organisations I also note that in the Knot-DNS documentation it says about “ds-push” that "this feature requires cds-cdnskey-publish not to be set to none.” I agree completely, this is exactly the choices we have if we want to achieve full automation of updates to delegation information: publish a CDS if we have a parent that runs a CDS scanner OR update the DS directly via a DNS UPDATE for all the cases where there is no parent scanner. Regards, Johan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
