On Tue, 30 Jan 2024, Roy Arends wrote:
One motivation behind DELEG is the ability to use “Aliasmode” to point to an
SVCB record elsewhere, which contains a DS record. This way, DS records in
various top level domains can be federated under a single operator. This works
solely if both the DELEG is signed and “elsewhere” is signed.
I don't understand what you are saying here. Can you elaborate and maybe
include an example?
Assume these records in various top level domains at delegation points:
example.com DELEG 0 a1.operator.net
example.net DELEG 0 a2.operator.net
example.org DELEG 0 a3.operator.net
example.uk DELEG 0 a4.operator.net
example.nl DELEG 0 a5.operator.net
example.de DELEG 0 a6.operator.net
In operator.net zone:
$ORIGIN operator.net
a1 SVCB . (DS="19718 13 2 8ACBB0…” ipv4hint=192.0.254.1, 192.0.254.2 )
a2 SVCB . (DS=“13284 13 2 1CBA01…” ipv4hint=192.0.254.1, 192.0.254.2 )
a3 SVCB . (DS=“60123 13 2 403832…” ipv4hint=192.0.254.1, 192.0.254.2 )
a4 SVCB . (DS=“12101 13 2 1A6692…” ipv4hint=192.0.254.1, 192.0.254.2 )
a5 SVCB . (DS=“18998 13 2 655212…” ipv4hint=192.0.254.1, 192.0.254.2 )
a6 SVCB . (DS=“34421 13 2 90ABAA…” ipv4hint=192.0.254.1, 192.0.254.2 )
This way, the “DELEG” RDATA in the top level domain for “example.$TLD” can be
long-lived, administered by the registrar on behalf of the registrant. The
operator can manage all the relevant configuration material in the operator.net
zone.
Thanks, that made it clear yes. It is an interesting feature.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
