Allowing the reverse zone method seems ok, but only if it is little extra work, and does not hold up the rest. As has been said, users can usually get a third-party NS record, and the Registrars usually have a manual method to add the first DS record. This is a one-time event "per domain", but once you have your first signed domain, then use an NS in that domain to bootstrap the rest, so it really becomes a one-time event per organization.
-- Bob Harold On Wed, Jun 22, 2022 at 8:40 AM Paul Wouters <p...@nohats.ca> wrote: > Unfortunately, the reverse zone is very often out of reach for those who > use the IP range and trying to do classless reverse delegation (RFC 2317) > for those who have less than a /24 is even harder to get. > > Paul > > Sent using a virtual keyboard on a phone > > On Jun 21, 2022, at 23:30, rubensk=40nic...@dmarc.ietf.org wrote: > > > > On 22 Jun 2022, at 00:07, John Levine <jo...@taugh.com> wrote: > > It appears that <rube...@nic.br> said: > > -=-=-=-=-=- > > > Hi. > > During a meeting today of ROW (https://regiops.net), the I-D on CDS > bootstrapping by using a DNSSEC-signed name at name server > zone ( > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/) > was discussed. > In that discussion, it was mentioned that the current draft only supports > out-of-bailiwick name servers; I replied that the > same principle could be applied to in-bailiwick name server by usage of > the reverse DNS zones for IPv4 and IPv6. > > > Urrgh. In principle, you can put anything you want in a reverse zone. > (Send mail to jo...@18.183.57.64.in-addr.arpa. and it'll work.) > > > That's my recollection as well, but as the saying goes, code is law. > Although in this case only registry/registrar and DNS operator are required > to interoperate for the bootstrapping process. > > In practice, I doubt that enough reverse zones are signed or that the > provisoning crudware that people use for reverse zones would work > often enough to be worth trying to do this. I did some surveys of > zones and found that in-bailiwick NS are quite uncommon, only a few > percent of the ones in large gTLDs. > > > I don't expect the IP space used for DNS servers to be managed thru an > IPAM system of sorts. But if one is used, it's unlikely they provision a > zone-cut as required in the draft. > > The prevalence among the overall DNS system is indeed low, but I wonder > what % this represents within services that allow all of DNSSEC, CDS > Bootstrapping and in-bailiwick DNS servers, like Business and Enterprise > plans in Cloudflare: > https://developers.cloudflare.com/dns/additional-options/custom-nameservers/ > . > > > Or if supporting this type of DNS servers can help the adoption of this > draft for the 99.9% use case of out-of-bailiwick servers. If not, we could > be adding a new piece to the DNS Camel... > > > > Rubens > > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
