Hi Tony, On 9 Jul 2019, at 09:24, Tony Finch <d...@dotat.at> wrote:
> Joe Abley <jab...@hopcount.ca> wrote: > >> There is hence an operational risk that data will leak (e.g. by >> configuration changes, software downgrades that are pragmatic >> necessities, side systems that publish zone data in ways other than the >> DNS). >> >> By keeping data that is already exchanged over a (manual) out-of-band >> channel separate, and not packaging them up with zone data, the existing >> segregation of private vs. public is preserved and the task is simply to >> automate a process that is currently manual. > > Yes. It might make sense to put secret keys in catalog zones. My sense is that there are far more examples today of people using REST interfaces to provision DNS services than there are people using catalogue zones, but I agree, catalogue zones are a category of the kind of out-of-zone signalling I'm suggesting. (I'm agreeing to your agreement \ to make the point that just because catalogue zones use the DNS as a substrate, they're not in-band in the sense of the original proposal.) Joe
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
