[dns-operations] What would it take...

[Doug Barton]

On 3/11/15 11:11 AM, Edward Lewis wrote:
> On 3/11/15, 13:31, "Doug Barton" <dougb at dougbarton.us> wrote:
>
>> Neither solves the problem of authenticating the entity which is sending
>> the DS update.
>
> Note that my request was not for a means to update the parent but to
> prevent the child from shooting themselves in the foot.  A much less
> involved operation.
>
> Perhaps I wasn't clear enough in my plea.

FWIW, I understood where you were going, and I don't disagree. I was 
responding to Paul and Mark who were not only headed off into the weeds, 
but were getting close to the poison oak. :)

> Is there a reason the grand toolset cannot build in a breaking system to
> prevent taking unwise steps?  Like refusing to remove a DNSKEY if the DS
> set exists and does not reference any other key?

I think it would be Ok to put up a large, difficult to ignore warning 
that the user is about to do something painfully stupid, sure. How much 
farther than that to go is an exercise for the implementors.

And the issue of non-BIND authoritative servers not doing their own 
iterative queries is a red herring. I would be astonished if those 
systems were not on a host that had access to a resolver.

Doug