Hi. During a meeting today of ROW (https://regiops.net), the I-D on CDS bootstrapping by using a DNSSEC-signed name at name server zone (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/) was discussed. In that discussion, it was mentioned that the current draft only supports out-of-bailiwick name servers; I replied that the same principle could be applied to in-bailiwick name server by usage of the reverse DNS zones for IPv4 and IPv6.
Reverse DNS zones have been signed for a while now, as you can see in this walk-thru of the DNSSEC trust chain for one IP address: https://dnsviz.net/d/3.2.160.200.in-addr.arpa/dnssec/ So, instead of _dsboot.example.com.br._signal.ns1.example.net.br, it could be a CDS/CDNSKEY record at _dsboot.example.com.br._signal.1.2.0.192.in-addr.arpa or _dsboot.example.com.br._signal.b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. Or put _dsboot.example.com.br as the PTR response for that query, but keeping it aligned with direct resolution seems preferable to me. Whether this violates any currently in-force DNS RFCs/STDs requirement, or if would fail or not to work with the current codebase of authority and recursive servers, I don't know. Rubens
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
