[dns-operations] .TH signed
Ed.Lewis at neustar.biz
Wed Apr 8 19:22:41 UTC 2009
At 14:04 -0500 4/8/09, Michael Graff wrote:
>When I submit name servers for my domains, I submit money (heh) and name
>server hosts, and IP addresses. I never submit "NS records" nor "A
>records." I don't know or care about the method these are published,
>nor their format.
You see the registrant to registrar (GU) interface. The back end EPP
interface sends in NS and A(AAA) record in XMLized format.
>I don't see why one could not accept DNSKEYs directly, rather than a DS.
> After all, I don't submit a representation of the name servers, I
>submit their names. Why not submit the key record, and how it is
>published is up to the publisher? I know it is too late for 4310.
Didn't say can't, and it's never too late to comment on an RFC. ;)
In RFC 4310, you can submit a DNSKEY but so far registry operators
side with the DS option.
>> A registry shouldn't be trying to infer something, anything, about
>> registrants. A registry should take what a registrant (or the agent
>> of/registrar) explicitly says to register and record the association -
>> modulo authentication, authorization, etc.
>See above. The binding between what the user submits and what is
>published does not have to be 1:1, IMHO. It already is not, in fact.
>Plus, having the key submitted allows one to publish DS or DLV records
>with any type of hash desired -- SHA1, SHA256, whatever. It decouples
>the data the user sees from the data the publisher generates, which
>decouples the user from the technology used to bind the parent/child
My assessment is that this is over engineering, over complicating the
entire system. I realize I should elaborate, but it would take a lot
of logic to get back to that conclusion.
Choice, moving parts, etc., are all things that work against lowering
operation cost of providing a service. Kind of the core of the
argument against all that.
I'll emphasize this - I do not say "don't do TARs." Have fun, do it.
But we are now seeing operational failures about once a week. And
this is while "experts" and promoters of DNSSEC are spending cycles
on it. That is what bothers me, not the concept of TARs (or whatever
they are called now).
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
More information about the dns-operations