[dns-operations] Looking for panelists for DNSSEC provisioning session at Cancún ICANN meeting in March

sivasubramanian muthusamy 6.internet at gmail.com
Mon Jan 27 15:43:06 UTC 2020


On Mon, Jan 27, 2020, 20:52 Steve Crocker <steve at shinkuro.com> wrote:

> Folks,
>
>
> I am organizing a panel session within the DNSSEC Workshop during
> the upcoming ICANN meeting in Cancún in March on the subject of DNSSEC
> provisioning.  There are two related but somewhat distinct topics.  One is
> the update of the DS record when the DNS provider rolls the key.  The other
> is how multiple DNS providers coordinate when each is signing the zone.
> Various proposals exist to solve each of these problems, but none has been
> fully accepted, and each suffers from a gap in the provisioning process.
>
>
> Depending on who is on the panel and we can cover either both topics or
> just the first topic.  I also intend to organize a session on these topics
> in Paris in May at the ICANN Global Domains Division Summitt and/or the DNS
> Symposium.  Also, the dnssec-provisioning at shinkuro.com mailing list is
> specific devoted to these two topics.
>
>
> Please let me know if you're interested in participating and if you have a
> position on how to address these problems.
>
>
> *Details*
>
>
> What is the path forward for automating solutions to these two
> provisioning problems?  Are new protocols needed?  What changes are
> required of registrars, DNS providers and/or registries?
>
>
>
> With respect to updating DS records, the solution space is basically a two
> by two matrix, with a subordinate third dimension:
>
>    - Are new DS records pushed upward, i.e. is the transmission initiated
>    by the DNS provider, or are new DS records pulled upward by the registry or
>    registrar?
>
>    - Is the registry or the registrar involved on the upper end of the
>    transmission?
>
>
> The subordinate third dimension is whether the KSK, DS or both are
> communicated.
>
>
> The solution in RFC 8078 is the pull/registry solution with support for
> both KSK and DS.  It was developed by a couple of DNS providers and is on
> the IETF standards track, but, so far as I can tell, is being adopted by a
> relatively few ccTLDs and is not gaining any traction within the gTLD
> community.  In contrast, GoDaddy has suggested its Domain Connect software
> could be extended to allow a push/registrar solution for DS updates.
>
>
>
> With respect to coordination among multiple DNS providers, Shumon Huque,
> et al's Internet-Draft  https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec-01
> [tools.ietf.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Ddnsop-2Dmulti-2Dprovider-2Ddnssec-2D01&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=_qSa12UaM5Nl6sbpmBZnYyeUu-qJt2ubgQJechcqldM&m=zQDYr_jJSOyuDOEF5tU7f-JhexPBRkY5Clkb6Rn9m3s&s=eH4Q6Yxg9dNg2IRqEmEWewca-7dYhKmHKbAZyCP7yHg&e=> sets
> for a scheme for multiple DNS providers to coordinate cross-signing of the
> same zone when it's served from multiple providers.
>
>
>
> I have both a general and a specific interest in this.  The general
> interest is in seeing some sort of solution be adopted in order to
> facilitate smoother operation and greater adoption of DNSSEC.  My specific
> interest is a guess that if the registrant could add the names of his DNS
> providers into the registration details, it would make both of these
> coordination processes much easier.
>

On the point immediately above:

I am a Registrant, with five or six of my own domain names under a
"Reseller" account which manages only these few accounts. I have found
creation of various  DNS/Mx records, some in the Domain Control panel, and
some in the Web hosting control panel to be tasks that are not
'user-friendly' for the average Registrant. Besides, with a view to avoid
errors that might interfere with the site's functionality, I have always
found it convenient to ask the Master reseller to create / update all
necessary records.

Is there a way of making these tasks expected of the Registrant to be as
easy as ordering icecream from an online icecream vendor? Or come up with
an alternate method of enabling the non-technical Registrant (for this
purpose, over 90% of the global Internet users) to maintain and announce
their DNS records as good as an advanced expert does?

Sivasubramanian M



> Thanks,
>
>
> Steve Crocker
>
> --
> You received this message because you are subscribed to the Google Groups
> "DNSSEC Provisioning" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dnssec-provisioning+unsubscribe at shinkuro.com.
> To view this discussion on the web visit
> https://groups.google.com/a/shinkuro.com/d/msgid/dnssec-provisioning/CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3%3D8NuCRezamGXCRg%40mail.gmail.com
> <https://groups.google.com/a/shinkuro.com/d/msgid/dnssec-provisioning/CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3%3D8NuCRezamGXCRg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200127/43602024/attachment.html>


More information about the dns-operations mailing list