On Oct 25, 2023, at 13:14, Johan Stenstam <[email protected]> wrote: > > > To begin with it works equally well with or without DNSSEC.
That statements seems a little odd? > Furthermore it is a cleaner solution than what we currently have (i.e. child > zone published CDS and/or CSYNC and parent at some future time will get > around to scan for it). Replacing all this this with a single DNS UPDATE is > something we should have (and could have) done long before either CDS or > CSYNC were invented. You seem to assume we didn’t know this when CDS and CSYNC were created. The question to ask is, why at the time we thought those new mechanisms were needed, and whether those reasons have changed since then. > The reason we didn’t was to some extent that we had higher hopes for DNSSEC > deployment rate than were justified, but primarily that we didn’t address the > question of how to figure out were to send the UPDATE when used across > organisational boundaries. Now we know more about the DNSSEC deployment rate > and we also have a proposal for locating the target for the UPDATE. I don’t agree that adoption rate changes any justificstions for new protocols. > And so this draft was born. Mark pointed out we have those “where to send UPDATES” infrastructure already ? > How many parent zones do we have in the universe? Millions, most likely. How > many of these parents have deployed CDS and CSYNC scanners? Perhaps a couple > of dozen. Compared to the deployment rate of DNSSEC in general the deployment > rate of CDS and CSYNC scanners is so completely lacking that I think we, i.e. > the DNS community, should ponder the following question very seriously: > > Do we really think that CDS/CSYNC scanners are the only answer we need to > the question of how to achieve full automation of delegation information > between child and parent? > > If the answer is “no” then I’d love to hear more suggestions than this > proposal. I think you are confusing two very different use cases. Generic registration TLDs and DNS deployments within the same organization. The latter can clearly be done with stock DNS UPDATES. The TLD case is special as it involves the RRR ICANN model. Any reasoning about deployments need to take this into account. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
