[dns-operations] .TH signed

Edward Lewis Ed.Lewis at neustar.biz
Wed Apr 8 19:22:41 UTC 2009 

At 14:04 -0500 4/8/09, Michael Graff wrote:

>When I submit name servers for my domains, I submit money (heh) and name
>server hosts, and IP addresses.  I never submit "NS records" nor "A
>records."  I don't know or care about the method these are published,
>nor their format.

You see the registrant to registrar (GU) interface.  The back end EPP 
interface sends in NS and A(AAA) record in XMLized format.

>I don't see why one could not accept DNSKEYs directly, rather than a DS.
>  After all, I don't submit a representation of the name servers, I
>submit their names.  Why not submit the key record, and how it is
>published is up to the publisher?  I know it is too late for 4310.

Didn't say can't, and it's never too late to comment on an RFC. ;) 
In RFC 4310, you can submit a DNSKEY but so far registry operators 
side with the DS option.

>>  A registry shouldn't be trying to infer something, anything, about
>>  registrants.  A registry should take what a registrant (or the agent
>>  of/registrar) explicitly says to register and record the association -
>>  modulo authentication, authorization, etc.
>
>See above.  The binding between what the user submits and what is
>published does not have to be 1:1, IMHO.  It already is not, in fact.
>Plus, having the key submitted allows one to publish DS or DLV records
>with any type of hash desired -- SHA1, SHA256, whatever.  It decouples
>the data the user sees from the data the publisher generates, which
>decouples the user from the technology used to bind the parent/child
>relationship.

My assessment is that this is over engineering, over complicating the 
entire system.  I realize I should elaborate, but it would take a lot 
of logic to get back to that conclusion.

Choice, moving parts, etc., are all things that work against lowering 
operation cost of providing a service.  Kind of the core of the 
argument against all that.

I'll emphasize this - I do not say "don't do TARs."  Have fun, do it. 
But we are now seeing operational failures about once a week.  And 
this is while "experts" and promoters of DNSSEC are spending cycles 
on it.  That is what bothers me, not the concept of TARs (or whatever 
they are called now).

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the dns-operations mailing list