Re: [DNSOP] Multiple drafts discussing the use of DNS NOTIFY

Mon, 19 Jun 2023 23:51:16 -0700 

Hi,

On 6/10/23 21:42, Tim Wicinski wrote:

All
The chairs have been looking at two different drafts discussing the use of using DNS NOTIFY to update DNSSEC information.  The two drafts are: 

https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-generalized-dns-notify-01 
<https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-generalized-dns-notify-01>
https://datatracker.ietf.org/doc/html/draft-dsawp-notify-00 <https://datatracker.ietf.org/doc/html/draft-dsawp-notify-00>
Mr Thomassen's draft is a bit more ambitious than Mr. Levine's draft, but both appear to work on the problem space of DNSSEC update automation.  The chairs are big fans of work around making DNSSEC deployment more operationally resilient.
We have some questions for the WG - if DNSOP adopted one of these, would DNS server vendors implement it down the road? (We think so)
I would definitely want to implement a CDS notify to the parent. It would help getting rid of the wasteful polling and we can reuse existing NOTIFY code. It feels like a good Hackathon project :) 

It looks to me that this mechanism consists of three parts:

1. Notify the parent of a CDS/CDNSKEY/CSYNC change.
2. Notify a signer in a multi-signer group of DNSKEY/CDS/CDNSKEY change.
3. Locating the server to notify (NOTIFY record).
It seems that John Levine's draft is mainly covering part 1, while the draft from Johan and Peter covers all three.
I don't know if all three parts should be covered in one document, although they are strongly connected to each other.
I think the part about multi-signer may face the biggest challenges (see my comments on the Generalized DNS Notifications draft), so I if that turns out to slow down things, I wouldn't mind focusing on DS automation first, and perhaps a successor document that can tackle the multi-signer scenario. 

Best regards,

Matthijs
The ICANN SSAC has been looking at this issue, so the ICANN meeting this coming week may be a good time for technical folks to discuss some of these ideas. 

Feedback Welcome

thanks
tim



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to