same here, I'm late, but I support this draft and will review and contribute.
CLASSIFICATION:CONFIDENTIAL
From: DNSOP on behalf of Christian Huitema
Sent: Wednesday, June 14, 2023 11:55 AM
To: Florian Obser ; Tim Wicinski
Cc: dnsop ; dnsop-chairs
Subject: [
Hi,
I support the dnssec bootstrapping method as proposed
draft-ietf-dnsop-dnssec-bootstrapping. .CA is looking at an implementation.
Jacques
CLASSIFICATION:CONFIDENTIAL
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dn
Yes, agree, we should publish.
4.3 *The Parental Agent receives a new or updated NS record set for a Child;*
4.3 *Any other condition as deemed appropriate by local policy.*
-> to confirm my understanding, as a registry operator, a trigger could be
when a domain is new/being registered, and add
I support the adoption of this document as well, perhaps a bit long but as
Stéphane stated with draft-ietf-dnsop-extended-error, it would nice to have a
good story on understanding why resolvers return SERVFAIL.
>-Original Message-
>From: DNSOP On Behalf Of Stephane Bortzmeyer
>Sent: M
Parental synchronization is inevitable so we would be better to find the
best way to make it happen. I think there are 3 plausible methods to do
the synchronization.
1. Child Notification: Child sends NOTIFY to a predefined parental
destination. The parent then polls the child zone for changes an
The intent of the document at bootstrap is for the parent to perform sufficient
tests to ensure they are conformable in bootstrapping the chain of trust, I
agree with you that these tests and other could be performed by the parent to
ensure the child/DNS Operator is "well behaved" and/or has "go
I'm trying to balance in my mind the requirements to protect the DNS vs. what
is happening on the wire, in the end, the browser will connect to an IP address
which can be (in most case) mapped to a domain name, which we're trying to
protect/hide with all sorts of encryption. Someone that has ac
t if you can't trust the DNS to
be clean then that's one option to enforce a security policy when browsers are
using DoH. This should probably go in
draft-livingood-doh-implementation-risks-issues
Jacques
>-Original Message-
>From: Adam Roach
>Sent: March 20, 2019 2:
Plus!
Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC? So the
local resolver and apps and browsers can go the _appropriate_ name resolution
resource(s) using the protocol of choice. That would be much simpler for
default configuration in enterprise and ISP.
>From: DNSOP
https://xmpp.org/extensions/xep-0418.html
XEP-0418: DNS Queries over XMPP (DoX)
Abstract: This specification defines an XMPP protocol extension
for sending DNS queries and getting DNS responses over XML streams. Each DNS
query-response pair is mapped into an IQ exchange.
Author: Tra
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Jan Vcelák
> Sent: November-08-15 3:50 PM
> To: Olafur Gudmundsson; Shane Kerr
> Cc: dnsop@ietf.org
> Subject: Re: [DNSOP] The DNSOP WG has placed draft-ogud-dnsop-maintain-ds
> in state "Candidate for WG Adop
Hi,
Sent something relating to this on DNS-OARC this morning, but it seems to be
legit to have delegation for a “_tcp.example.ca”, which fails the syntax
requirements defined in section “8.1. Illegal characters MUST NOT be in the
domain name".
A delegation can happen to a valid domain na
Hi,
I think it would fall under REGEXT once it's up? The REGEXT charter has a
section about DNS Operator.
> The working group will also identify the requirements for a
> registration protocol where a third-party DNS provider is involved.
> These requirements will be documented in an Informationa
Read it, like it, and
>3.1 ... The parent retrieves the CDS and inserts the corresponding DS RRset as
>requested,
I think the parent can accept the CDS and insert the DS RRset as requested or
as per Parent policy.
Meaning the Parent could take the signed child DNSKEY and create DS RRset based
and
support parental agent that want to publish DS conform to their policies.
Jack
From: Olafur Gudmundsson [o...@ogud.com]
Sent: Thursday, April 07, 2016 10:36 PM
To: Jacques Latour
Cc: Tim Wicinski; dnsop; Olafur Gudmundsson
Subject: Re: [DNSOP] Working Group La
> -Original Message-
> From: Paul Wouters [mailto:p...@nohats.ca]
> Sent: April-11-16 3:18 PM
> To: Jacques Latour
> Cc: Olafur Gudmundsson; dnsop
> Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-maintain-
> ds
>
> On Fri, 8 Apr 2016, Jacqu
Make sure your CPE supports IPv6 only operations before putting on the shelf,
it's hopefully IPv4 will be decommissioned 10 years from now, so DNSSEC
bootstrap could be moot point.
>-Original Message-
>From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Mikael
>Abrahamsson
>Sent: N
Ted, very clear summary, thank you.
I read the DNSSEC related homenet and dnsop comments and I don’t see how you
can have DNSSEC validation for a homenet without a properly signed & delegated
domain. If we want a one shoe fits all solution then we need to have a single
common domain used by al
This would probably a good use case for homenet to use its own DNS class, Class
2 - 0x0002 – Homenet (HN). How to implement is beyond my paygrade.
This would make homenet DNS very distinctive, which it is.
If we want to solve this problem, it’s going to require an extension to the DNS
that provi
Another "what if scenario" for bypassing the EPP keyrelay with automation, what
if there was a CKEYRELAY record pointing to the gaining DNS operator name
servers, where the parent zone operator can grab the new DS record to be
pre-published prior DNS operator transfer?
Potentially, parent zone
"The Child may also remove old keys, but this document does not support
removing all keys."
"When the Parent DS is "in-sync" with the CDS / CDNSKEY resource records, the
Child DNS Operator MAY delete the CDS / CDNSKEY record(s);"
Read the whole thing a couple of times and it's not clear to me h
I think the one big drawback for me is the loss visibility and control for the
root operators. As an example, DITL, what value will that have if only subset
of queries make it to root servers? Will DNS-OARC have to collect logs from all
these loopback authoritative slave recursive?
-1 for adop
22 matches
Mail list logo
