> On 26 Feb 2019, at 14:46, Tony Finch <d...@dotat.at> wrote:
> 
> Rubens Kuhl <rube...@nic.br> wrote:
>> 
>> I imagine that DNS as a communication channel to assure registrant
>> willingness to change something, similar to CDNS/CDNSKEY, could be quite
>> useful. For instance, if the name servers that are delegated on the
>> registry are now pointing to new name servers, and this response is
>> signed by the current DS/DNSKEY on the delegation, changing the DNS
>> servers for that domain is pretty safe.
> 
> There is RFC 7477 CSYNC, but I don't know of any implementations.


It's possibly something in that direction, but CSYNC sounds a bit more 
complicated by requiring support of a new RR-type on the user-side. Using the 
same existing RRs would make it easier for end-user adoption.

I believe an OOB mechanism signalling the user intent of changing name server 
or in-bailwick glue records, with registry then fetching those records, would 
have more traction. The nature of that OOB would be policy-realm dependent; for 
some TLDs it could be as easy as flushing recursive DNS cache 
(https://developers.google.com/speed/public-dns/cache , 
https://www.verisign.com/en_US/security-services/public-dns/dns-cache/index.xhtml
 , https://cachecheck.opendns.com/), for some it might require a domain:update 
transaction from registrar.

In all cases, any name server change not coming from a synchronous EPP 
transaction should trigger a poll message informing the name servers have been 
changed and to which ones. This is likely something to regext to work on, 
possibly augmenting the existing draft-ietf-regext-change-poll- or using it as 
it is.

Security-wise, considering the limited adoption of DNSSEC, for non-signed 
delegation one alternative would be using only TCP queries to verify the new 
records.  This is far from perfect, but counters some threat vectors.



Rubens


Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Reply via email to