Hi Tony, Jim, all, thank you for your interest in automatic updates of DS records in the RIPE database. My piece of (slightly) running code is growing here:
https://github.com/oskar456/ripe_db_ds_updater As I said, it is a very early version, not even alpha, but hopefully it will evolve in the future. In my opinion, the implementation of RFC 7344 in RIPE DB should follow similar principles like this tool, that means: - opt-in basis – we expect some level of knowledge for DNSSEC reverse zones operators; scanning the whole delegation space regularly would be pretty futile job, at least with the current status of DNSSEC in the reverse address space* - no support for insecure to secure bootstrapping (RFC 8078) - if this automatic management is opt-in, during opting in, the user should also bootstrap the first DS The exact procedure of opting in is an implementation detail. I personally pretty like the idea of special mntner, because it also stresses the fact that actual object can be modified without of the consent of the regular mntner. Other solution would be to move automatically-managed data out of the database, so the database object would not get modified with every DS update. -- Best regards Ondřej Caletka *) I don't have any numbers, but I expect the adoption ratio is pretty low.
smime.p7s
Description: Elektronicky podpis S/MIME
