On 2 Aug 2019, at 15:30, Bob Harold <rharo...@umich.edu> wrote: > I just had what might be a crazy idea. > What if the covert data was encrypted, and could be transferred normally, but > only someone with the key could read it? > It could then be put in a new record or in TXT records. > Requires a tool (script) to read/write it, but no changes to the DNS servers. > Does that make any sense?
To my eye (such as it is) Olafur is on the right track with this. This is a provisioning problem, not a DNS problem. I think it makes more sense to consider the zone as just one parameter in a DNS workload; other parameters like master servers, zone-specific configuration, NOTIFY lists, etc are additional parameters. Together they make up a blob of DNS provisioning workload. I think the ability to include RRSet metadata (comments, change history, authorisation, data provenance, whatever) in such a blob is most simply a further deconstruction of the "zone" member of that blob. I do see the benefits of standardising DNS provisioning in general. I would love to be able to have a standard mechanism to add a blob such as that imagined above to an anycast cloud of authoritative DNS servers, for example, instead of having to jump through provider-specific flaming hoops of tickets and APIs. Joe
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
