[dns-operations] Looking for panelists for DNSSEC provisioning session at Cancún ICANN meeting in March
Steve Crocker
steve at shinkuro.com
Mon Jan 27 15:22:10 UTC 2020
Folks,
I am organizing a panel session within the DNSSEC Workshop during
the upcoming ICANN meeting in Cancún in March on the subject of DNSSEC
provisioning. There are two related but somewhat distinct topics. One is
the update of the DS record when the DNS provider rolls the key. The other
is how multiple DNS providers coordinate when each is signing the zone.
Various proposals exist to solve each of these problems, but none has been
fully accepted, and each suffers from a gap in the provisioning process.
Depending on who is on the panel and we can cover either both topics or
just the first topic. I also intend to organize a session on these topics
in Paris in May at the ICANN Global Domains Division Summitt and/or the DNS
Symposium. Also, the dnssec-provisioning at shinkuro.com mailing list is
specific devoted to these two topics.
Please let me know if you're interested in participating and if you have a
position on how to address these problems.
*Details*
What is the path forward for automating solutions to these two provisioning
problems? Are new protocols needed? What changes are required of
registrars, DNS providers and/or registries?
With respect to updating DS records, the solution space is basically a two
by two matrix, with a subordinate third dimension:
- Are new DS records pushed upward, i.e. is the transmission initiated
by the DNS provider, or are new DS records pulled upward by the registry or
registrar?
- Is the registry or the registrar involved on the upper end of the
transmission?
The subordinate third dimension is whether the KSK, DS or both are
communicated.
The solution in RFC 8078 is the pull/registry solution with support for
both KSK and DS. It was developed by a couple of DNS providers and is on
the IETF standards track, but, so far as I can tell, is being adopted by a
relatively few ccTLDs and is not gaining any traction within the gTLD
community. In contrast, GoDaddy has suggested its Domain Connect software
could be extended to allow a push/registrar solution for DS updates.
With respect to coordination among multiple DNS providers, Shumon Huque, et
al's Internet-Draft
https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec-01
[tools.ietf.org]
<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Ddnsop-2Dmulti-2Dprovider-2Ddnssec-2D01&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=_qSa12UaM5Nl6sbpmBZnYyeUu-qJt2ubgQJechcqldM&m=zQDYr_jJSOyuDOEF5tU7f-JhexPBRkY5Clkb6Rn9m3s&s=eH4Q6Yxg9dNg2IRqEmEWewca-7dYhKmHKbAZyCP7yHg&e=>
sets
for a scheme for multiple DNS providers to coordinate cross-signing of the
same zone when it's served from multiple providers.
I have both a general and a specific interest in this. The general
interest is in seeing some sort of solution be adopted in order to
facilitate smoother operation and greater adoption of DNSSEC. My specific
interest is a guess that if the registrant could add the names of his DNS
providers into the registration details, it would make both of these
coordination processes much easier.
Thanks,
Steve Crocker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200127/ae8cf3a7/attachment.html>
More information about the dns-operations
mailing list