[dns-operations] .TH signed

Edward Lewis Ed.Lewis at neustar.biz
Wed Apr 8 19:22:41 UTC 2009

At 14:04 -0500 4/8/09, Michael Graff wrote:

>When I submit name servers for my domains, I submit money (heh) and name
>server hosts, and IP addresses.  I never submit "NS records" nor "A
>records."  I don't know or care about the method these are published,
>nor their format.

You see the registrant to registrar (GU) interface.  The back end EPP 
interface sends in NS and A(AAA) record in XMLized format.

>I don't see why one could not accept DNSKEYs directly, rather than a DS.
>  After all, I don't submit a representation of the name servers, I
>submit their names.  Why not submit the key record, and how it is
>published is up to the publisher?  I know it is too late for 4310.

Didn't say can't, and it's never too late to comment on an RFC. ;) 
In RFC 4310, you can submit a DNSKEY but so far registry operators 
side with the DS option.

>>  A registry shouldn't be trying to infer something, anything, about
>>  registrants.  A registry should take what a registrant (or the agent
>>  of/registrar) explicitly says to register and record the association -
>>  modulo authentication, authorization, etc.
>See above.  The binding between what the user submits and what is
>published does not have to be 1:1, IMHO.  It already is not, in fact.
>Plus, having the key submitted allows one to publish DS or DLV records
>with any type of hash desired -- SHA1, SHA256, whatever.  It decouples
>the data the user sees from the data the publisher generates, which
>decouples the user from the technology used to bind the parent/child

My assessment is that this is over engineering, over complicating the 
entire system.  I realize I should elaborate, but it would take a lot 
of logic to get back to that conclusion.

Choice, moving parts, etc., are all things that work against lowering 
operation cost of providing a service.  Kind of the core of the 
argument against all that.

I'll emphasize this - I do not say "don't do TARs."  Have fun, do it. 
But we are now seeing operational failures about once a week.  And 
this is while "experts" and promoters of DNSSEC are spending cycles 
on it.  That is what bothers me, not the concept of TARs (or whatever 
they are called now).

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the dns-operations mailing list