[dns-operations] DNS self-updates (was: DNSSEC deployment incentives)

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jun 20 00:01:24 UTC 2019

On Thu, Jun 20, 2019 at 09:21:29AM +1000, Mark Andrews wrote:

> > One thing I'd like to see is the ability for a server to use its
> > current private key and certs (that match its existing TLSA RRset)
> > to use DNS "update" to publish a revised TLSA RRset (perhaps via
> > SIG(0) with the TLSA records used as the ACL in the nameserver).
> > If any of the implementors of BIND, NSD, PowerDNS, ... are interested,
> > please reach out…
> What do you want to do the update-policy doesn’t already support?
> See grant self and self-sub.  They are designed to allow a machine to
> update records associated with itself be the A, AAAA, SRV, TLSA, KEY,
> SSHFP with control down to the record type.

What does "self" mean?  What authenticates an incoming update packet
as "self"?  I'd be great if that were the content of the TLSA RRset.


More information about the dns-operations mailing list