Dear DNSOP,
Thank you for the review of -01! We have addressed the feedback and sorted out
the remaining editorial issues. For a summary, see below.
We are not aware of any outstanding questions or issues. The protocol is now in
production at Cloudflare and SWITCH, amongst others.
Given this state of things, we would like to propose advancing the draft to the
next stage once the WG feels that the time has come.
Most significant changes since -01:
| Clarified that RFC 8078 Section 3 is not replaced, but its methods
| are deprecated. (Libor's suggestion -- thanks!)
|
| Included NSEC walk / AXFR as possible triggers for DS
| bootstrapping. (John's suggestion -- thanks!)
Other changes since -01:
| Added new deployments to Implementation section.
|
| Editorial changes.
Thanks,
Peter
On 8/17/22 14:47, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.
Title : Automatic DNSSEC Bootstrapping using Authenticated
Signals from the Zone's Operator
Authors : Peter Thomassen
Nils Wisiol
Filename : draft-ietf-dnsop-dnssec-bootstrapping-02.txt
Pages : 15
Date : 2022-08-17
Abstract:
This document introduces an in-band method for DNS operators to
publish arbitrary information about the zones they are authoritative
for, in an authenticated fashion and on a per-zone basis. The
mechanism allows managed DNS operators to securely announce DNSSEC
key parameters for zones under their management, including for zones
that are not currently securely delegated.
Whenever DS records are absent for a zone's delegation, this signal
enables the parent's registry or registrar to cryptographically
validate the CDS/CDNSKEY records found at the child's apex. The
parent can then provision DS records for the delegation without
resorting to out-of-band validation or weaker types of cross-checks
such as "Accept after Delay" ([RFC8078]).
This document deprecates the DS enrollment methods described in
Section 3 of [RFC8078] in favor of Section 3 of this document.
[ Ed note: This document is being collaborated on at
https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/
(https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/).
The authors gratefully accept pull requests. ]
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-02.html
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-02
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
