On 3/10/15, 16:45, "Mark Andrews" <ma...@isc.org> wrote: > >Why don't we just implement TSIG signed updates...
In the sense of "baby steps first" - what I'm driving towards "error detection", ensuring that the zone-to-be is in line with it's environment. Getting to "error correction" is the next level, but complicates things. > >> Here are some impediments: >> >> 1) The entity responsible for the set up is not likely to be a >>programmer. > >Doesn't matter. People do username/password pairs all the time. The point was missed - the solution to this has to rely on updating tools, not expecting folks to modify code, write a few scripts, set up cron jobs. As someone familiar with coding, I could write this up for myself, but in general operations staff aren't going to develop anything very detailed. >> 2) Authoritative servers don't launch queries. > >Has NEVER been true. SOA/IXFR queries are done regularly by >authoritative servers. For over the last decade queries for >nameserver addresses have been done for NOTIFY. Okay, but, the queries are sent to IP addresses held in configurations or in authoritative data, not relying on what is learned at sea. They certainly don't iterate. I could quibble and say that messages sent by AXFR clients (RFC 5936), which are called queries, aren't exactly the same as queries sent when resolving a name - they share format and software but the trust model is different. And that matters here because I've held the belief that authoritative servers do not want to base their answers (authoritative answers) on information learned from outside their bailiwick. >> 3) Authoritative servers don't know anything about the parent zone. > >Discoverable. True, unless (as mentioned later) the master is firewalled off from the Internet (okay, lame argument). Yet we don't have tools that do this. Why not? >> 4) The owners of the zone and the operator of the DNS are not always the >> same entity (person, company). > >Doesn't matter. (I don't know what you mean by "doesn't matter" other than you are disagreeing.) I raised this impediment to try to point the solution into tools (and standards) and not relying on processes. The world we live in has managed to build business relationships that do not align with the needed communications to make things work smoothly. (This is why I called DNSSEC "clumsy" at a Centr meeting in October 2013 - clumsy as in, it can be made to work but needs more expertise than is evidently available in the labor market. Evident by the frequency of defects.) >I've already submitted a draft that would make this all possible. > >Sending signed UPDATE messages is relatively trivial. Which one? Is there an implementation of this? Any operational experience?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
