On Jan 9, 2025, at 15:52, Peter Thomassen <pe...@desec.io> wrote: > > Hi Ed, (author hat off) > > On 12/24/24 21:23, Edward Lewis wrote: >> I don’t think the generic TLD restrictions are the bottleneck. > > It is a known fact that several gTLDs [1,2] want to do CDS-based automation > and have implementations ready, and are waiting for ICANN's blessings for > deployment. > > [1]: > https://static.sched.com/hosted_files/icann76/fd/4.5%20Bauland%20-%20CDNSKEY%20Support%20in%20TANGO%20Registry%20Services.pdf > [2]: > https://centralnic.support/hc/en-gb/articles/5957742209309-Automated-DNSSEC-Configuration-CDS-scanning
While I was at ICANN, I couldn’t comment on any rumors I heard. Since I’ve left, I haven’t paid attention. Nevertheless, my comment was based on not seeing tremendous uptake across TLDs outside the ICANN contractual umbrella (those not subject to ICANN’s “blessings"). The lack of deployment, to me, tells me that operators are not overly wowed by the mechanism, at least not yet. Technical gaps are being filled, and once there is enough operational guidance in place to handle errors and refused requests, parent-child DNSSEC automation ought to hit operational mainstream. A few operators running it - good. And these participants are willing to do what will make it work. I’ve never said that anyone will suffer from deploying CDS, just that I think it needs more work. FWIW, I use the word “deployment” as opposed to “implementation” to distinguish between developments of code bases (or implementations) from operational use of said code bases. The two words can sometimes have the same meaning, but I a differentiating between code bases, for which “standardization” means interoperability and choices made by operations staff managers to make use of the technology. >> Even though there are 3 or 4 times as many gTLDs as ccTLDs, due to backend >> operator consolidation, there may be more ccTLD operators than gTLD >> operators (handwaving…and some operators are both). From this, I suspect >> that CDS has got to be wrapped in something more operator friendly to gain >> more ccTLD operators before I’d agree that gTLD restrictions are the >> bottleneck. > > I'm not following what the number of ccTLD implementations has to do with > gTLD restrictions. (I’ve had a tough time getting this into words. I understand why you ask and this is something I’ve given thought but never had to express the “why” before.) In the gTLD space, the decision maker (the one who give the go/no go to deployment) on average impacts more TLDs than in the ccTLD space. And a gTLD decision maker is held to a broader set of rules than a decision maker in the ccTLD space. Not “more rules” but rules made by a far broader constituency. One gTLD decision maker might approve a rollout for 200 zones in one decision, while most ccTLD decision makers will impact just one zone at a time. Given that any decision to move forward represents the same amount of faith that a rollout will go well, there’s need to recognize that X number of ccTLDs will take more decision makers to say “go” than X number of gTLDs. There’s also the distinction that in the gTLD space, a “go” has to overcome a contractual process that is the result of a very broad and lengthy process, where as a ccTLD may have a contract with a smaller governance. This isn’t to say that ccTLDs have it easy when it comes to decision makers - I’ve heard experiences of a few and the number of hurdles they need to jump can be impressive. But for some ccTLDs, engineering goals are weighted differently compared to other goals. Going back many years I’d anticipated that improvements like CDS would first appear in ccTLDs, which is what has happened. I’d hoped for a higher tally, which leads me to believe that there are gaps remaining. Once there was critical mass, it would be time to bring this to the gTLD arena - which is apparently afoot. How this all ties into generalized-notify: I see CDS as the means of marshaling the data from the child to the parent. Of course, the question is how does the child initiate the request (how does the parent sense there is a request) and that is what generalized notify is filling, possibly also how the parent conveys a response code for the request. Beyond this, what’s needed is the out-of-band operational policies for handling disputes, etc., when things go wrong (either through accepting a malicious request or denying an earnest request). Somewhere along the way operators will decide the technology is baked enough and take it on as a means of reducing other maintenance costs. I guess I see the actions of the ccTLD operators to be truer measure, based on technical merits, of DNSSEC automation, than gTLD operators. What this says about DNS operations outside the TLD world, I can’t say. The goal isn’t to grade the technology, but I identify and fill the gaps to make is adoptable… _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
